Microsoft KB Archive/185292

{|
 * width="100%"|

PRB: SetUserObjectSecurity Returns ERROR_NOT_ENOUGH_QUOTA

 * }

Q185292

-

The information in this article applies to:


 * Microsoft Win32 Application Programming Interface (API), used with:
 * the operating system: Microsoft Windows NT 4.0
 * the operating system: Microsoft Windows 2000

-

SYMPTOMS
SetUserObjectSecurity returns

ERROR_NOT_ENOUGH_QUOTA

CAUSE
All Windows NT Executive objects, which Window stations and Desktops belong to, have a 2K limit on Access Control Lists (ACL). SetUserObjectSecurity returns ERROR_NOT_ENOUGH_QUOTA when this limit is reached. This 2K limit equals approximately 84 or 85 Access Control Entries (ACE).

RESOLUTION
It is recommended that you add an ACE based on the Logon Security Identifier (SID) since this duplicates the process used by the system. For more information on doing this, please see the following article in the Microsoft Knowledge Base:

"Q165194 INFO: CreateProcessAsUser, Windowstations and Desktops" Consider the following options when you experience this problem:


 * If you are launching many processes running in the same security context or logon session, you might want to add one ACE versus an ACE for every process.
 * If you can keep track of when the process dies, you should remove the ACE when the process has terminated.
 * If you cannot track when the process dies, there are several procedures that you can use to remove any unnecessary ACEs. You can enumerate processes, read the Logon Security Identifier (SID) or User SID from the process token, and compare one of them to the ACEs stored in the DACL for the window station and desktop objects. This depends on which ACE you used to secure the object. Remove any ACEs for processes that are no longer running on the system. NOTE: there might be other processes that are adding ACEs to the objects.
 * If you are launching many processes, you might want to add an ACE based on the processes logon type. For example, this could be either the Interactive or Batch SID. You would not have to add any additional ACEs for processes with the same logon type.

STATUS
This behavior is by design.

Additional query words: kbDSupport kbdss kbKernBase kbSecurity

Keywords : kbAPI kbKernBase kbOSWinNT400 kbOSWin2000 kbSecurity kbFAQ kbDSupport kbGrpDSKernBase

Issue type : kbprb

Technology : kbAudDeveloper kbWin32sSearch kbWin32API