September 2003
Intermediate to advanced
624 pages
15h 49m
English
Content preview from Active Directory CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
15.13. Creating a Quota
Tip
This recipe requires a Windows Server 2003 domain controller.
Problem
You want to limit the number of objects a security principal can create in a partition by creating a quota.
Solution
Using a command-line interface
> dsadd quota -part <PartitionDN> -qlimit <QuotaLimit> -acct <PrincipalName>[RETURN] [-rdn <QuotaName>]
The following command creates a quota specification that allows the
RALLENCORP\rallen user to create only
5 objects in the dc=rallencorp,dc=com partition:
> dsadd quota -part dc=rallencorp,dc=com -qlimit 5 -acct RALLENCORP\rallen
Discussion
Quotas are a new feature in Windows Server 2003 that allow an administrator to limit the number of objects that a user (or group of users) can create. This is similar in nature to the quota for creating computer objects found in Windows 2000 (see Recipe 8.9 for more details), except the quotas in Windows Server 2003 apply to the creation of all object types.
There are three things that need to be set when creating a quota specification, including:
- Partition
Currently, quotas can apply only to an entire partition. You cannot create a quota that pertains only to a subtree in a partition. You can create quotas for any partition, including application partitions, except for the schema-naming context. The reasoning behind this restriction is that the schema is a highly protected area of the directory and you shouldn’t need to restrict how many objects get created there.
- Target security principal
A quota can be defined ...