Active Directory Quotas

You can use Active Directory and Active Directory Domain Services (AD DS) to implement limitations on the number of objects that a security principal (a user, computer, and group) can create in a directory node. You can define these limitations through Active Directory quotas.  Quotas have been around since the days of Windows Server 2003 and are very useful when trying to prevent a rogue attack against Active Directory.  An example of this would be a security principal has been delegated the permission to create objects in Active Directory.  Well, with no quota limitation in place, they can create objects until the disk housing the NTDS.dit file until runs out of space. If you implement quotas, you can limit the number of objects that a security principal can create in the directory, which helps insulate the directory from a denial-of-service attack through the creation of a very large number of objects.

 A few key pointers:

  • You can specify quotas for security principals on each directory partition. These partitions include application partitions, domain partitions, and configuration partitions.

  • Schema partitions are exempt from quota restrictions. Modifications to the schema are highly restricted operations that only members of the Schema Admins group can perform. In addition, members of the Domain Admins and Enterprise Admins groups are also exempt from quota limitations.

  • Quota objects are stored in the NTDS Quotas container under the domain, application, and configuration naming contexts. To view the NTDS Quotas container in the Active Directory Users and Computers snap-in, you must enable Advanced Features on the View menu.

  • Tombstone objects, which are created when you delete an object from a partition, count toward a security principal’s quota limit. You can define the percentage by which tombstone objects count against a security principal’s quota limit by modifying the NTDS Quotas container’s msDS-TombstoneQuotaFactor attribute.

  • By default, only members of the Domain Admins group can administer quotas.

  • To assign a quota to a security principal, you must use the directory services tools. The command and required parameters for assigning a quota to a security principal are as follows:

    dsadd quota –part <partition distinguished name> –qlimit <quotalimit> –acct <security prinicipal>

  • To determine a security principal’s quota, use the following command:

    dsget user <userDN> -part <partitionDN> -qlimit –qused

 For more information about Active Directory quotas see, Active Directory Quotas (  

This posting is provided "AS IS" with no warranties, and confers no rights.

Skip to main content