What is Active Directory object quota? How can you set it?

Directory Object Quotas
A denial-of-service attack can be performed by creating a huge number of objects in Active Directory. This could also happen unintentionally because of a bug in an application or a human error. To protect from such incidences, you can set quotas on how many directory objects a given security principal (user, inetOrgPerson, computer) can own in a given partition. (This includes domain and application partitions and the configuration partition, but the schema partition doesn't support quotas.) The object's creator becomes its owner, but as you know, the ownership can be transferred.
Windows 2000 doesn't understand or enforce directory object quotas, so for the quotas to be effective, all domain controllers that host the corresponding partition should be running Windows Server 2003. Also, quotas are enforced only on originating updates and not when a replicated update is applied.

Setting Directory Object Quotas
You can set a default quota for the partition and individual quotas for users, inetOrgPersons, computers, and security groups. If there is a quota for both a user and one or more groups she is a member of, the largest quota is used. If an individual quota is not assigned (either directly or through group membership), the quota of the partition is used. By default, the partition quota is unlimited. Members of Domain Admins and Enterprise Admins are not subject to quota control.
You would use the DS commands to manage quotas. The first of the following commands sets Jack's quota to 15 owned objects in the Sanao domain. The second command raises his quota to 18 objects, and the third command sets the default quota for the partition.
Command 1:
dsadd quota -part DC=sanao,DC=com -acct jack.brown@sanao.com

-qlimit 15
Command 2:
dsmod quota "CN=SANAO_JackB,CN=NTDS Quotas,DC=sanao,DC=com"

-qlimit 18
Command 3:
dsmod partition DC=sanao,DC=com -qdefault 500

Viewing Directory Object Quotas
You can view individual quota entries, effective quota limits, and the current quota usage with DS commands. An effective quota limit sums up the effect if a user is in a group that has a higher quota, and if none of the quota entries apply, the effective limit equals the partition default.
The following command displays the effective quota limit along with the current usage: dsget user "CN=jack brown,OU=boston,DC=sanao,DC=com" -part DC=sanao,DC=com -qlimit -qused

To see the effective quota and the current usage for all users in a domain, use the following command:dsquery user domainroot dsget user -part DC=sanao,DC=com -qlimit -qused -dn

To get a list of all quota entries that are at least ten objects, you can specify a filter in the DSQuery command, pipe the result to DSGet, and specify that you want the name (acct) and quota limit (qlimit) displayed. dsquery quota domainroot -qlimit ">=10" dsget quota –acct -qlimit

The CN=NTDS Quotas object contains two constructed attributes, msDS-QuotaEffective and msDS-QuotaUsed, which display a different result for each user—that is, her own effective quota limit and current usage.
Tombstone Quotas
When an object is deleted, most of its attributes are stripped, and what is left, is called a tombstone. This tombstone exists by default for 60 days, so that knowledge of the deletion can be replicated to all domain controllers (even if one of them were offline for 55 days). It is possible to have the tombstones counted with a lower weight, when the user's quota usage is determined.
By default, the tombstone weight is 100, which means that they are as "expensive" as normal objects. To set the weight to 50 percent, for example, you would use the following command:
dsmod partition DC=sanao,DC=com -qtmbstnwt 50