The Change Nobody Documented
Three service accounts disabled in production. No change ticket. No record of who did it or when. The helpdesk was fielding calls for forty minutes before we traced the issue back to a permissions change made during a maintenance window two weeks earlier. We had no baseline to compare against, so proving what changed required digging through event logs across multiple domain controllers.
That engagement taught our team a hard lesson about Active Directory visibility. We needed a way to capture the state of AD at a known-good point, then compare it later when something inevitably went sideways. That is exactly what AdExplorer does, and it has become a standard tool in our change management process.
What AdExplorer Actually Does
AdExplorer is part of the Sysinternals suite, written by Mark Russinovich. It is a free, portable Active Directory viewer and editor that does not require installation. Think of it as ADSI Edit with a usable interface and one critical feature ADSI Edit lacks: the ability to save full snapshots of your AD database for offline analysis.
The tool displays AD in two panes. The left pane shows the directory tree. The right pane shows every attribute for the selected object without requiring you to open separate dialog boxes. You can browse, search, edit attributes, modify permissions, and navigate directly to an object’s schema definition. It automatically opens all naming contexts it can find — default, configuration, and schema — so you do not need to connect to each one separately.
For day-to-day AD troubleshooting, that alone makes it worth keeping on a USB drive. But the snapshot capability is where AdExplorer earns its place in an operational toolkit.
How Snapshots Work
A snapshot captures the state of your AD database at a specific point in time. AdExplorer saves the default, configuration, and schema naming contexts into a single .dat file. Once saved, you can open that snapshot on any machine running AdExplorer and browse it exactly as you would a live directory — searching objects, viewing attributes, inspecting permissions — all without any network connection to a domain controller.
Snapshots are read-only. You cannot modify anything in a loaded snapshot, which is exactly what you want for audit and baseline purposes.
Creating a Snapshot
Connect to your domain controller through the Connect To Active Directory dialog box. You can launch this from the File menu or the Open toolbar icon. Once connected, choose Create Snapshot from the File menu or click the Save toolbar button.
The Snapshot dialog box gives you three options:
- Add a comment describing the snapshot purpose (pre-change baseline, quarterly audit, etc.)
- Choose where to save the .dat file
- Set a throttle to control how aggressively AdExplorer scans the directory tree
That throttle setting matters. In a client environment with 30,000 AD objects, an unthrottled snapshot will hammer the domain controller. We always set a throttle during business hours and run full-speed snapshots during scheduled maintenance windows. The snapshot file size scales with the number of objects, attributes, and permissions in your directory.
Comparing Snapshots: Where the Real Value Lives
Taking snapshots is useful. Comparing them is where AdExplorer becomes indispensable for change management.
Load a saved snapshot, select any object within it, then choose Compare Snapshot from the Compare menu. AdExplorer opens a criteria dialog where you select a second snapshot file to compare against. You can filter the comparison by object class and attribute type, so you are not drowning in noise when you only care about group membership changes or permission modifications.
The results list every difference between the two snapshots. Double-clicking any difference navigates you to the relevant object in the loaded snapshot. If you need to focus specifically on security changes, the Compare Snapshot Security option under the Compare menu isolates permission differences between the two points in time.
A Real-World Comparison Workflow
During a quarterly security review for a government contractor we work with, we established this process:
- Snapshot AD on the first Monday of each quarter
- Snapshot again at the end of the quarter
- Compare the two snapshots filtering for security group changes, disabled accounts, and OU modifications
- Cross-reference differences against approved change tickets
- Flag anything that does not have a matching ticket
Within the first quarter, we identified fourteen undocumented group membership changes. Seven of them were legitimate but untracked. The other seven were remnants of a terminated contractor’s access that should have been revoked. That finding alone justified the process.
Operational Use Cases Beyond Auditing
Pre-Migration Baselines
Before any domain migration or AD restructuring project, we take a full snapshot. If the migration goes wrong, we have an exact record of the prior state. This is not a backup — you cannot restore from a snapshot — but it tells you precisely what needs to be rebuilt. Pair this with proper backup infrastructure and you have both the recovery mechanism and the verification checklist.
Incident Response
When a P1 incident involves potential unauthorized AD changes, loading an offline snapshot lets your security team analyze the directory state without touching production. MITRE ATT&CK documents numerous techniques that involve AD manipulation — persistence through group policy modification, privilege escalation via group membership changes, lateral movement using trust relationships. Having a baseline snapshot turns your investigation from guesswork into a differential analysis.
Onboarding New Team Members
Hand a new AD administrator a snapshot and let them explore the directory structure without any risk of accidentally modifying production objects. Snapshots are read-only by design, making them a safe training environment.
Caveats and Limitations
AdExplorer is not a replacement for proper AD monitoring or backup solutions. A few things to keep in mind:
Snapshots only capture the three default naming contexts. Application partitions and custom naming contexts are excluded. If your environment uses these, you will have gaps in your snapshots.
Large directories produce large snapshot files. A 50,000-object AD can generate snapshot files measured in gigabytes. Plan your storage accordingly and do not assume a network share with limited space will handle quarterly snapshots of a large enterprise directory.
The comparison feature is point-in-time only. It tells you what changed between two snapshots, not when or who made the change. For real-time change auditing, you still need proper AD audit policies and a SIEM or log aggregation platform. AdExplorer snapshots complement that monitoring — they do not replace it.
One more: AdExplorer requires authenticated access to the domain to create a snapshot. The account you connect with determines what you can see. A standard user account will miss attributes that require elevated read permissions.
Making It Part of Your Change Process
Here is my opinionated take: every environment with more than 100 AD objects should be taking monthly snapshots at minimum. Storage is cheap. The cost of not having a baseline when something breaks is measured in hours of investigation time and, in regulated industries, potential compliance findings.
We build snapshot creation into our change management runbooks. Before any CAB-approved AD change, the implementing engineer takes a snapshot. After the change, another snapshot. Both get stored with the change ticket number in the filename. If anyone questions what happened six months later, we pull the snapshots and compare.
You can script the snapshot process using AdExplorer’s command-line options, then schedule it through Task Scheduler or your automation platform. For environments where we manage AD operations, this runs automatically as part of our monitoring and alerting workflows. The snapshots land on a dedicated file share with retention policies matching the client’s compliance requirements.
Getting Started
Download AdExplorer from the Microsoft Sysinternals page. It is a standalone executable — no installation, no dependencies. Drop it on your admin workstation or a USB drive.
Connect to your domain, take your first snapshot, and store it somewhere safe. Do the same thing next month. When something breaks — and it will — you will have a baseline to compare against instead of guessing what changed.
If your team needs help building AD change management processes or wants a structured approach to directory auditing, reach out to our team. We have been through enough undocumented-change incidents to know that the process matters as much as the tooling.
