15.13. Creating a Quota
Tip
This recipe requires a Windows Server 2003 domain controller.
Problem
You want to limit the number of objects a security principal can create in a partition by creating a quota.
Solution
Using a command-line interface
> dsadd quota -part <PartitionDN> -qlimit <QuotaLimit> -acct <PrincipalName>[RETURN] [-rdn <QuotaName>]
The following command creates a quota specification that allows the
RALLENCORP\rallen user to create only
5 objects in the dc=rallencorp,dc=com partition:
> dsadd quota -part dc=rallencorp,dc=com -qlimit 5 -acct RALLENCORP\rallen
Discussion
Quotas are a new feature in Windows Server 2003 that allow an administrator to limit the number of objects that a user (or group of users) can create. This is similar in nature to the quota for creating computer objects found in Windows 2000 (see Recipe 8.9 for more details), except the quotas in Windows Server 2003 apply to the creation of all object types.
There are three things that need to be set when creating a quota specification, including:
- Partition
Currently, quotas can apply only to an entire partition. You cannot create a quota that pertains only to a subtree in a partition. You can create quotas for any partition, including application partitions, except for the schema-naming context. The reasoning behind this restriction is that the schema is a highly protected area of the directory and you shouldn’t need to restrict how many objects get created there.
- Target security principal
A quota can be defined ...
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
