How to Use Active Directory Explorer (ADExplorer) for Fast AD Troubleshooting

How to Use Active Directory Explorer (ADExplorer) for Fast AD Troubleshooting

Overview

Active Directory Explorer (ADExplorer) is a free Sysinternals tool for browsing, searching, and inspecting Active Directory (AD) objects, attributes, and snapshots. It’s lightweight and useful for rapid diagnostics, investigating replication issues, permission problems, and configuration errors without installing heavy management consoles.

Setup

1. Download & run: Get ADExplorer from Microsoft Sysinternals. It’s a single executable; run as an administrator on a machine with network access to the domain.
2. Connect: Choose a live domain connection or open a saved snapshot file. For live use, enter a domain controller or let it auto-detect the current domain.
3. Permissions: Use an account with sufficient read access to the AD partitions you need to inspect (typically a domain admin or delegated read account).

Key Views & Features to Use

• Tree view: Navigate domain partitions (Configuration, Schema, Domain) and drill into OUs, users, computers, and groups.
• Attribute editor: View all attributes for an object, including timestamps, GUIDs, SIDs, and replication metadata.
• Search: Quickly find objects by name, DN, or attribute values. Use wildcard and partial matches for broader searches.
• Snapshot mode: Capture a point-in-time snapshot of AD for offline analysis or to compare later.
• Save/Load snapshots: Save snapshots to share with colleagues or to archive state before changes.
• Compare snapshots: Use the Compare feature to find differences between two snapshots (useful after changes or for troubleshooting replication/attribute drift).
• Security descriptor viewer: Inspect ACLs on objects to diagnose permission or delegation issues.
• Replication metadata: Check the version, highestCommittedUSN, and last replication times for attributes to identify replication delays or conflicts.

Fast Troubleshooting Workflows

1. Find an object quickly

   • Use Search with the sAMAccountName, CN, or partial display name.
   • Open the object and check the distinguishedName and memberOf to confirm placement and group memberships.

2. Check replication and last-change times

   • Open object attributes and review when attributes like whenChanged/whenCreated were updated.
   • Inspect replication metadata to see source DC, update sequence numbers, and last replication timestamp.

3. Diagnose authentication or group membership issues

   • Verify user attributes: userAccountControl, account expiry, servicePrincipalName (SPN).
   • Check nested group memberships and tokenGroups if group membership isn’t resolving as expected.

4. Investigate permission problems

   • Open the Security descriptor for the object and audit the ACL entries.
   • Confirm which principals have Allow/Deny rights and at what inheritance level.

5. Compare pre/post-change state

   • Take a snapshot before making changes.
   • After changes or an incident, take another snapshot and run Compare to highlight attribute or object differences.

6. Recover accidentally deleted objects (read-only diagnosis)

   • If AD Recycle Bin is enabled, examine deleted objects in the Deleted Objects container via ADExplorer snapshot or on a DC that exposes the view.
   • Note attributes needed for authoritative restore (objectGUID, usn, tombstone info) to provide to recovery tools or admins.

Tips & Best Practices

• Use snapshots for safety: Never rely solely on live inspections when you need an auditable record—use snapshots.
• Run on secure workstation: Use ADExplorer from a secure admin workstation to avoid credential exposure.
• Combine with other tools: Use alongside Event Viewer, dcdiag, repadmin, and LDAP queries for full diagnostics.
• Document findings: Export attribute lists or copy object DNs into notes when escalating issues.
• Be cautious editing: ADExplorer can edit attributes; avoid making changes unless you intend them and understand impact.

Quick Checklist for Common Problems

• User can’t log in: check userAccountControl, account lockout, lastLogonTimestamp, SPNs, group membership.
• Group membership not applied: verify nested groups, tokenGroups, replication status.
• GPO not applying: confirm gPLink on OU, permission on GPO object, and replication of policy attributes.
• Unexpected permissions: inspect ACL entries and inheritance on the affected object.

If you want, I can provide a one-page printable checklist or step-by-step commands (repadmin/dcdiag) to run alongside ADExplorer.