The ACL model in Active Directory (AD) is flexible and granular. However, there's one restriction that Windows 2000 AD ACLs can't enforce: limiting the number of objects created in a partition. You can, of course, restrict who can create objects in a container, but after you give a user the ability to create objects (e.g., by using the Create All Child Objects right), that user can create as many objects as he or she wants. A malicious user who has the rights to create objects in a domain could fill up a domain controller's (DC's) hard disk simply by creating a lot of objects.
AD Quotas
Windows Server 2003 has a new AD quotas feature that lets you monitor and limit the number of objects a security principal (user, group, or computer) can create in a partition. This feature is similar to the built-in quota that Win2K and later versions assign to authenticated users for creating computer objects except that the new Windows 2003 quotas apply to all object types. For example, the new computer account quota limits users to creating no more than 10 computer objects (i.e., accounts) in a domain.
Quota objects are stored in the NTDS Quotas container in all Windows 2003-based partitions (including application partitions), except the Schema partition. Quotas can't be associated with the Schema partition because adding to the schema is a highly restricted operation that only members of the Schema Admins group can do. By default, tools such as the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in hide the NTDS Quotas container from view, but you can see the container by selecting View, Advanced Features from the snap-in's menu. The NTDS Quotas container has an object class of msDS-QuotaContainer that has several attributes that define default quota behavior. Table 1 lists some of the important attributes of msDS-QuotaContainer objects. Quota objects have an object class of msDS-QuotaControl. Table 2 lists the most interesting quota object attributes.
Adding Quotas
Unfortunately, you can't use the Active Directory Users and Computers snap-in or any of the other AD MMC snap-ins to create quotas. The only tools Microsoft provides for creating and managing quotas are the Directory Service (DS) utilities, including Dsadd, Dsmod, and Dsquery. To use Dsadd to create a quota for a specific partition, you need to specify values for the attributes that Table 2 lists.
Here's the generic command for creating a quota. Note that the last line (in brackets) is optional.
dsadd quota
-part <PartitionDN>
-qlimit <QuotaLimit>
-acct <PrincipalName>
[-rdn <QuotaName>]
The following command creates a quota that lets user cn=rallen create only five objects in the dc=rallencorp,dc=com partition.
dsadd quota
-part dc=rallencorp,dc=com
-qlimit 5
-acct cn=rallen,cn=users,
dc=rallencorp,dc=com
[-rdn rallen_quota]
The Tombstone Factor
Tombstone objects add an interesting twist to quotas. When a security principal (i.e., a user, group, or computer) deletes an object, Windows creates a tombstone object for a designated period of time (60 days by default) before purging the tombstone from the system. These tombstone objects count toward the security principal's quota.
By default, each tombstone object counts as one object. Thus, if a user creates an object and deletes another object, those objects would count as two objects toward any quotas that apply to the user. If a user creates an object and later deletes the same object, the entire process would count as only one object against the user's quota. When AD removes the tombstone object at the end of the designated time period, AD decrements one object from the user's quota.
You can change the msDS-QuotaContainer object's msDS-TombstoneQuotaFactor attribute to a value other than 100 percent to adjust how much each tombstone object counts against a security principal's quota usage. If you set the attribute to 50, a user with a quota limit of 10 could delete 20 objects (i.e., create 20 tombstone objects). If you don't care how many objects your users delete, you can set the tombstone quota factor to 0.
Setting Default Quotas
Because you can assign quotas to the different types of security principals, multiple quotas might apply to an individual principal. In such a case, the quota with the highest limit will be in force for the principal.
You can create a default quota for a partition that applies to all the security principals except for the members of the Enterprise Admins and Domain Admins groups and principals for which you've configured a quota. Even if you configure a default quota for all users, administrators won't have any restrictions and principals for which you've configured a quota will use that quota rather than the default quota.
The easiest way to apply a default quota is to modify the msDS-DefaultQuota attribute on the NTDS Quotas container for the target partition. You need to be careful when setting the default quota because it applies to every nonadministrator security principal for which you haven't set an individual quota. If you set the default quota to 0, for example, computers wouldn't be able to dynamically update their DNS records in an AD-integrated zone because that process creates an object. This situation might not apply to your environment, but the point is that you need to consider the effects of a default quota and test it thoroughly before implementing it.