Getty Images
Using Microsoft AD Explorer for common admin tasks
The utility makes it easier to navigate the Active Directory database and features snapshot capabilities with a comparison function to detect where a change caused a problem.
When you need a quick fix with a key component in your Windows infrastructure, often, there's a utility tailored for that specific need.
Active Directory (AD) is a foundational technology in Windows Server with seemingly innumerable features and benefits for the enterprise. Its health is integral to the security and overall well-being of the organization. It's important to have a tool that navigates this identity and access management platform and the objects it stores for troubleshooting and other admin tasks. Microsoft AD Explorer is a free but handy utility with exceptional search capabilities and other features to make troubleshooting and other tasks easier.
What is Microsoft AD Explorer?
Microsoft AD Explorer is a utility that is part of the suite of admin tools called Sysinternals. AD Explorer makes finding and viewing AD objects more efficient by avoiding the directory structure to review attributes for accuracy. In addition to searching for objects and saving those queries, AD Explorer can snapshot the AD database with the option to compare snapshots to identify changes, including both original and updated attribute values.
While AD Explorer does not directly allow rollbacks, it provides the info you need to reverse unintended or failed modifications to AD objects.
Other features in AD Explorer include the following:
- View AD objects, including attributes, properties and dependencies.
- Manage permissions on AD objects.
What are Microsoft AD Explorer advantages?
AD Explorer's abilities to take snapshots and provide a granular tool to search for objects are not its only advantages.
When you select an object, you can display its attributes without a right-click or the need to dig into the object's properties. This is much faster and more convenient than other tools.
AD Explorer recognizes drag-and-drop functionality to move objects between containers.
AD Explorer keeps a history of recently accessed objects to find them quickly during an administrative session.
Finally, Microsoft AD Explorer can bookmark containers and organizational units (OUs) you use regularly.
How to install Microsoft AD Explorer
The Sysinternals tools are free. You can download AD Explorer from its homepage. Save and unpack the zipped file, and then double-click the ADExplorer.exe program to launch the application.
AD Explorer prompts you to connect to an AD database or an existing database snapshot. Enter a domain controller's name, such as DC1, and your login credentials. Once connected to your AD instance, you can browse the structure.
The AD partitions are stored on the domain controller, including schema, configuration and domain partitions. Expand the domain controller node in the tree pane to display containers and OUs.
How to use Microsoft AD Explorer
Start using AD Explorer by browsing the various objects and containers. The structure should be familiar if you've ever used the Microsoft Management Console snap-in AD Users and Computers (ADUC), the AD Domains and Trusts console or the AD PowerShell module.
Expand the domain controller node to display the containers and OUs. Browse the AD structure to an OU of your choice, and display the objects stored in it.
In the example here, I selected the Users OU, a child OU within the Sales OU. Inside the child OU are two user accounts. If I select an account within the OU, AD Explorer displays its attributes.
This interface is a faster way to view these attributes via ADUC, AD Administrative Center or PowerShell.
Select any of the attributes to display more detail. Similar results are available for computer accounts or any other AD object.
You can browse the infrastructure if you know which container or OU holds the object you need. However, you need to search for specific objects in many cases.
How to search AD with Microsoft AD Explorer
The Microsoft AD Explorer search function is extremely comprehensive. You can search for any attribute and filter your results with detailed criteria.
You can use the following search criteria in AD Explorer:
- Class. AD object class, such as OU.
- Attribute. Any object attribute.
- Relation. Is or is not like.
- Value. Object name or other value, depending on the attribute.
To search, use the toolbar, or right-click on a container or OU.
The first example is executing a search for an OU by its name. This feature is particularly handy in large enterprise networks where there may be hundreds of OUs nested in several layers.
Save your searches if you anticipate using them regularly.
In the next example, say you want to find a user account, but you're not sure which OU stores it. You also don't know the user's full name, just their first name. From the search menu in the toolbar, choose Search Container, and then set the search parameters.
AD Explorer displays all users who match the first name criteria. To perform other searches, such as for a computer account, the process is similar.
How to take snapshots with Microsoft AD Explorer
A common troubleshooting scenario for AD involves investigating why something that worked previously no longer does. With a technology as complex as AD, that can be a difficult question to answer. Comparing snapshots is one way to sort out this issue.
A snapshot is a record of the AD database from a specific time. It's not a backup because you can't restore or roll back with it, but it's helpful as an aid to compare two snapshots to determine where changes occurred. AD Explorer helps by finding these changes for you.
If you're experimenting with AD Explorer in a lab, then take a snapshot. Next, create a new user account, and then take another snapshot.
To perform a comparison in AD Explorer:
- Open AD Explorer to your database, go to the File menu, select Connect and browse to the snapshot files. Load at least two snapshots to make a comparison.
- In the Compare menu, select Compare Snapshot to show what changed between the snapshots.
The Compare Snapshot feature selects classes and change types to narrow the search. This option is useful to prevent performance issues when comparing large snapshots.
In the following example, suppose you want to examine snapshots after creating a new OU named ProjectsTeam. First, load the two snapshots in AD Explorer. Next, add the snapshot to compare to the current one. AD Explorer's comparison results screen shows the new ProjectsTeam OU.
How do similar tools compare to Microsoft AD Explorer?
There are other utilities admins can use to browse and perform operations in AD.
JXplorer is a Java-based open source editor for Lightweight Directory Access Protocol (LDAP) databases, such as AD. While the most recent version is from 2013, the tool is still in production and available with documentation and an administrator's guide. JXplorer is available in two versions: the free and open source JXplorer download or the paid JXWorkBench Enterprise edition for $10.
Administrators who manage mixed LDAP environments might appreciate LDAP Explorer (LEX). While the current version is compatible with Windows Server 2016 and Windows 10, it's reasonable to expect it works with more current AD versions. It also works with OpenLDAP. A paid license is $110. The developers have been working on LEX2, which should support Microsoft Entra ID -- formerly Azure AD -- and Microsoft 365 subscriptions.
Third-party utilities can often improve on Microsoft's own built-in functionality, but in this case, I recommend using AD Explorer, which continues to be developed by Microsoft. JXplorer's age and LEX's cost are a concern. However, these tools might be valuable if you use or plan to use another LDAP database, such as OpenLDAP.
Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial and CompTIA Blogs.
