Active Directory: Dealing with upgrades and user logs for Windows Server 2003 AD

Expert Laura E. Hunter answers reader questions ranging from how many users can be implemented in a Win2K3 Active Directory to how to upgrade from an NT4 domain.

The following is a collection of expert responses to reader questions by Laura Hunter. 

I was wondering how many users can be implemented in a Windows Server 2003 Active Directory? I called Microsoft and they did not know even know.

Laura Hunter: The number of users that AD can support is dependent on the amount of space that each object takes up, which will increase if you're using many directory-enabled applications such as Microsoft Exchange that will increase the amount of storage required for each user object. The physical NTDS.DIT file that stores AD information on each domain controller can be many terabytes in size, and thus AD can scale to millions of objects. For an interesting discussion on what happens when you have a really large DIT file, check out this blog entry from one of Microsoft's developers.

I am using Windows Server 2003 with Active Directory. I have at least 90 users. I want to save logs about user's usage of server. For example, I want to see users login & log off timing, and in this duration what they are doing.

Example: file or folder creation, delete, update, and open times with folder names. Is this possible?

LH: You can audit access to a number of different types of events related to Active Directory and the Windows operating system. Check out this link to get started.

You can view the results of system auditing manually within the Event Viewer, or you can automate the process with free tools like EventCombMT and LogParser or paid tools such as Microsoft Operations Manager (MOM) or third-party offerings from GFI, NetIQ, Quest, NetPro, and the like.

We have a NT Domain. I have built a 2003 Server (without Active Directory) which now resides on the NT Domain. The current PDC is an NT server. If I install AD on the 2003 server, would that mean that the users and groups will now reside on the new server (I'm not talking about their personal folders, but their login IDs, etc)? And also, do I have to denote the current PDC before or after installing AD onto the 2003 server? Thank you!

LH:To upgrade an NT4 domain to Windows Server 2003, you must first upgrade the NT4 PDC, thereby creating a 2003 Active Directory domain. For some helpful how-to guides to get you started, check out this link.

We are migrating our old file server to a new file server. How can I modify the path of all my users' home directory within Active Directory using a vbs logon script? Our DC is Windows Server 2000.

LH:Check out the source code from Robbie Allen's "Active Directory Cookbook," located here. Recipe 6.4 shows you how to modify a property value for multiple users. Essentially, you select a container such as an OU or a domain and then use a FOR loop to loop through each user object in that container.

I want to restrict 10 drives in Active Directory (Windows 2003). How can I add Registry Key in AD to do that?

LH:You can use Group Policy Objects to restrict access to any combination of the A, B, C and D drive letters, or to restrict access to all drive letters. If you need more granular control than that, you can roll up a custom .ADM template to restrict access to the particular drive letter that you need. See the following KB article for more details.

Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valuable Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at

This was first published in July 2006

Dig Deeper on Microsoft Active Directory



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: