In Active Directory there is a container called NTDS Quotas which is visible in the Active Directory Users and Computers.  In this blog post we are going to explore what it is and its use within Active Directory.
If you cannot see this NTDS Quotas container in Active Directory Users and Computers, you need to turn on Advanced Features which can be found in the view menu.
NTDS Quotas limit the amount of objects a security context (such as an Active Directory user object) can create within Active Directory. Why would you want to do this? Say you setup a Level 2 administrator on your network which has basic access to create users and similar objects on your domain. Now if the credentials of this account escaped into the wrong hands, whilst it doesn't have any significant control over important components of Active Directory it could still be potentially used to take down the network. What do you mean Clint? The ability to create objects in Active Directory with no limit imposed is dangerous, an attacker could create billions of Active Directory objects in Active Directory until the database file NTDS.dit became so large it fills up the disk space on all available domain controllers making the domain completely unavailable.
When creating a user account in Active Directory which has been delegated the permissions to create objects within Active Directory it is best practice to set a quota to limit the number of objects that account can create. This is done using the following command.
dsadd quota -part dc=at,dc=local -qlimit 10 -acct CN=L2admin,CN=Users,DC=at,DC=local
This has created my L2 Admin the ability to create a maximum of 10 objects within Active Directory, any more a senior administrator will need to up his quota limit. It is also important to note that now the quota has been created, we can see that a quota object has been created for that user account in Active Directory under the NDSS Quotas container.
To verify how many objects a user has created from their quota you can use the following command.
dsget user CN=L2admin,CN=Users,DC=at,DC=local -part DC=at,DC=local -qlimit -qused
As you see I have not yet created an account with the L2Admin account I created for this demonstration, so quota used remains at 0.
Important: Domain Admins and Enterprise Admins groups are exempt from quota limitations. If you configure a quota for a Domain Admin or Enterprise Admin, it will not work! All the more reason to limit the number of Domain Admins and always delegate permissions where possible.
Can I create a default quota for all non Domain Admin and Enterprise Admin accounts on my network which have the ability to create objects?
The answer to this is yes! First navigate to the properties of the NTDS Quotas container within Active Directory.
 
 
 
If you cannot see this NTDS Quotas container in Active Directory Users and Computers, you need to turn on Advanced Features which can be found in the view menu.
NTDS Quotas limit the amount of objects a security context (such as an Active Directory user object) can create within Active Directory. Why would you want to do this? Say you setup a Level 2 administrator on your network which has basic access to create users and similar objects on your domain. Now if the credentials of this account escaped into the wrong hands, whilst it doesn't have any significant control over important components of Active Directory it could still be potentially used to take down the network. What do you mean Clint? The ability to create objects in Active Directory with no limit imposed is dangerous, an attacker could create billions of Active Directory objects in Active Directory until the database file NTDS.dit became so large it fills up the disk space on all available domain controllers making the domain completely unavailable.
When creating a user account in Active Directory which has been delegated the permissions to create objects within Active Directory it is best practice to set a quota to limit the number of objects that account can create. This is done using the following command.
dsadd quota -part dc=at,dc=local -qlimit 10 -acct CN=L2admin,CN=Users,DC=at,DC=local
This has created my L2 Admin the ability to create a maximum of 10 objects within Active Directory, any more a senior administrator will need to up his quota limit. It is also important to note that now the quota has been created, we can see that a quota object has been created for that user account in Active Directory under the NDSS Quotas container.
To verify how many objects a user has created from their quota you can use the following command.
dsget user CN=L2admin,CN=Users,DC=at,DC=local -part DC=at,DC=local -qlimit -qused
As you see I have not yet created an account with the L2Admin account I created for this demonstration, so quota used remains at 0.
Important: Domain Admins and Enterprise Admins groups are exempt from quota limitations. If you configure a quota for a Domain Admin or Enterprise Admin, it will not work! All the more reason to limit the number of Domain Admins and always delegate permissions where possible.
Can I create a default quota for all non Domain Admin and Enterprise Admin accounts on my network which have the ability to create objects?
The answer to this is yes! First navigate to the properties of the NTDS Quotas container within Active Directory.
Then on the Attribute Editor tab find msDS-DefaultQuota.  Whatever you set this to will apply to all users on the network and will limit the number of objects with Active Directory to which the user can create (of course provided they have been delegated rights to do so).  Remember this will not effect Domain Admins or Enterprise Admins!
I hope this post has been informative for you.
 

 
 

 
Does the quota cycle ? ie I set it for 50 and thats 50 today, then reset tomorrow for another 50 ? Or once the 50 are used I have to purge the account and reset the quota ? In that case would it be better to limit to a realistic amount, say the life of a SD engineer, maybe 2 years, and creation of maybe 3000 AD object over that time ?
ReplyDeleteHi Scott,
ReplyDeleteGood question, no the quota does not cycle. You are correct you want to create a realistic amount much higher then 10, this was only an example. Also if a user does meet their quota limit, what Microsoft recommends is you simply create a secondary quota higher then the first using the same DSADD command as documented above.
In the event a user has two quota objects configured, the quota object which has the higher value always wins.
What I would recommend is create a limit around 500, in the unlikely event this limit is set, just create another quota object set to 1000.
Also on that note, quota objects always overwrite the default quota set.
Kind Regards,
Clint
Does the counter decrement any time an object is deleted that this "junior admin" created? Or this is just a simple stupid "auto-increment" counter?
ReplyDeleteYes that is correct Anonymous, in the event objects are deleted which were created by the junior administrator, the junior administrator will be able to create more objects.
ReplyDeletePlease note there is a caveat around this, when an object is deleted from Active Directory it becomes a tombstone object for 60 days by default. Tombstone objects still count towards the users quota limit, hence the user needs to wait 60 days before getting the quota number back.
There is an attribute associated with the NTDS Quotas container called msDS-TombstoneQuotaFactor which is set to 100 by default. The msDS-TombstoneQuotaFactor attribute is the percentage factor (a value between 1 and 100) by which tombstone objects count against a security principal’s quota limit. If you set this to 0 then as soon as a object the user deleted is removed, it will automatically allow the user to recreate another user despite the tombstone remaining for 60 days (or whatever the custom tombstone interval has been configured to in the event it has been changed from the default).
I hope this makes sense... if there are any questions please feel free to shoot.
Kind Regards,
Clint
Thank you very much.
ReplyDeleteCould you please explain more how to write the script command and where to put.
When I run the above commands, I am getting below error.
====
C:\>dsadd quota -part dc=at,dc=local -qlimit 10 -acct CN=ali,CN=Users,DC=at,DC
=local
dsadd failed:The parameter is incorrect.:Account name does not exist. Enter a valid account.
====
User "ali"is in the active directory as an administrator.
Really appreciated!
Can I create a default quota for all non Domain Admin and Enterprise Admin accounts on my network which have the ability to create objects?
ReplyDelete=> The answer to this is NO: https://technet.microsoft.com/de-de/library/cc904295(v=ws.10).aspx
=> See Quota exemptions....In addition, members of the Domain Admins and Enterprise Admins groups are also exempt from quota limitations.