Article ID: 185292 - Last Review: November 21, 2006 - Revision: 3.5

SetUserObjectSecurity returns ERROR_NOT_ENOUGH_QUOTA

View products that this article applies to.
This article was previously published under Q185292
Expand all | Collapse all

SYMPTOMS

SetUserObjectSecurity returns:
ERROR_NOT_ENOUGH_QUOTA
Back to the top

CAUSE

All Microsoft Windows NT, Windows 2000, Windows XP Executive objects, which Window stations and Desktops belong to, have a 2K limit on Access Control Lists (ACL). SetUserObjectSecurity returns ERROR_NOT_ENOUGH_QUOTA when this limit is reached. This 2K limit equals approximately 84 or 85 Access Control Entries (ACE).
Back to the top

RESOLUTION

It is recommended that you add an ACE based on the Logon Security Identifier (SID) since this duplicates the process used by the system. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
165194  (http://support.microsoft.com/kb/165194/ ) CreateProcessAsUser() windowstations and desktops
Consider the following options when you experience this problem:
  • If you are launching many processes running in the same security context or logon session, you might want to add one ACE versus an ACE for every process.
  • If you can keep track of when the process dies, you should remove the ACE when the process has terminated.
  • If you cannot track when the process dies, there are several procedures that you can use to remove any unnecessary ACEs. You can enumerate processes, read the Logon Security Identifier (SID) or User SID from the process token, and compare one of them to the ACEs stored in the DACL for the window station and desktop objects. This depends on which ACE you used to secure the object. Remove any ACEs for processes that are no longer running on the system. NOTE: there might be other processes that are adding ACEs to the objects.
  • If you are launching many processes, you might want to add an ACE based on the processes logon type. For example, this could be either the Interactive or Batch SID. You would not have to add any additional ACEs for processes with the same logon type.
Back to the top

STATUS

This behavior is by design.
Back to the top
APPLIES TO
  • Microsoft Win32 Application Programming Interface, when used with:
    • Microsoft Windows NT 4.0
    • the operating system: Microsoft Windows 2000
    • Microsoft Windows 2000 Server
    • the operating system: Microsoft Windows XP
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Datacenter x64 Edition
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
    • Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
    • Microsoft Windows Server 2003 R2 Standard x64 Edition
    • Microsoft Windows Server 2003 R2 Enterprise x64 Edition
    • Microsoft Windows Server 2003 R2 Datacenter x64 Edition
    • Windows Vista Home Basic
    • Windows Vista Home Basic N
    • Windows Vista Home Premium
    • Windows Vista Enterprise
    • Windows Vista Business
    • Windows Vista Business N
    • Windows Vista Ultimate
    • Windows Vista Starter
    • Windows Vista Home Basic 64-bit Edition
    • Windows Vista Home Premium 64-bit Edition
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Business 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Server 2008 Standard
    • Windows Server 2008 Enterprise
    • Windows Server 2008 Datacenter
    • Windows Server 2008 for Itanium-Based Systems
    • Windows Web Server 2008
Back to the top
Keywords: 
kbapi kbfaq kbkernbase kbprb kbsecurity KB185292
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations