22.214.171.124.2.5 Quota Calculation
Quotas control the number of objects (including tombstones, deleted-objects, and recycled-objects) that a security principal may own within an NC. A security principal is considered the "owner" of an object if the OWNER field in the object's nTSecurityDescriptor value equals the security principal’s SID. In the event the object owner changes, the quota (USAGE) for the existing and potential new owner is recalculated.
The quota is not enforced in two cases:
When the requester of an operation is not the same as the potential owner.
When the requester has specified the LDAP_SERVER_BYPASS_QUOTA_OID control and has been granted the control access right DS-Bypass-Quota on the object that is the root of the NC in which the operation is to be performed.
When a quota is enforced, the USAGE value for the requester is computed. When the USAGE value computed for a requester exceeds their MAX-USAGE value (see below), add, undelete (reanimation), delete, and change-of-owner operations are prevented for the requester and the server returns the adminLimitExceeded / STATUS_QUOTA_EXCEEDED error.
The USAGE value is computed as follows:
USAGE = owned_existing_objects + ceil(tombstone-factor/100 * owned_deleted_objects)
In the preceding formula, owned_existing_objects is the total number of existing-objects that the requester owns. owned_deleted_objects is the total number of tombstones, deleted-objects, or recycled-objects (see the Delete operation in section 126.96.36.199.5) that the requester owns. tombstone-factor is the integer value stored in the msDS-TombstoneQuotaFactor attribute on the Quotas container in the NC. Ceil() is the "ceiling" mathematical function.
The MAX-USAGE value is computed as follows:
A set of applicable msDS-QuotaControl objects in the Quotas container is obtained. An msDS-QuotaControl object is applicable for the requester if its msDS-QuotaTrustee attribute contains a SID that is present in the requester's authorization information.