ADExplorer

ADExplorer is a Sysinternals utility for browsing Active Directory, creating snapshots of AD state, and comparing snapshots to detect changes. It’s essential for AD reconnaissance, offline analysis, and red team engagements where you need detailed attribute inspection and historical change detection.

Installation

ADExplorer is part of the Sysinternals Suite and runs on Windows without installation.

Method	Steps
Direct Download	Download ADExplorer.exe from live.sysinternals.com/ADExplorer.exe
Sysinternals Suite	Download the full Sysinternals Suite and extract all tools to a folder
No Admin Required	Most features work without elevation; snapshots may require admin for sensitive attributes

# Download directly
curl "https://download.sysinternals.com/files/ADExplorer.zip" -OutFile ADExplorer.zip
Expand-Archive ADExplorer.zip -DestinationPath C:\Tools\Sysinternals
C:\Tools\Sysinternals\ADExplorer.exe

Connecting to AD

Launch ADExplorer and connect to a domain controller or AD-reachable server.

# Start ADExplorer GUI
ADExplorer.exe

# Default connection via DC discovery
# File > Connect > [hostname or DC IP]

Connection Dialog:

Option	Description
Server	Hostname, FQDN, or IP of domain controller (leave blank for local DC)
Port	389 (standard LDAP), 636 (LDAPS), 3268 (Global Catalog), 3269 (GC SSL)
User Name	Domain\username or UPN; leave blank for anonymous bind or null session
Password	Leave blank for null session; enter credentials for authenticated access
Logon Via	SSL or Standard; use SSL for LDAPS port 636

# Anonymous bind (if enabled)
# File > Connect
# [DC IP] : 389
# [Leave User/Password blank] > Connect

# Authenticated bind
# File > Connect
# [DC IP] : 389
# DOMAIN\username : password > Connect

Browsing Objects

Navigate the LDAP tree, inspect attributes, and explore AD structure.

Navigation:

• Left pane shows DN tree (Domain → OUs → Objects)
• Right pane shows attributes of selected object
• Expand nodes to drill down through organizational units

# Typical AD structure:
# dc=domain,dc=com
#   ├── CN=Users
#   ├── CN=Computers
#   ├── CN=System
#   └── OU=Custom
#       └── OU=Servers

Right-Click Context Menu:

Action	Purpose
Expand All	Recursively expand subtree (slow on large OUs)
View	Toggle attribute pane visibility
Copy DN	Copy distinguished name to clipboard
Properties	Open object details dialog

Search Functionality

Use ADExplorer’s search to find objects by attribute matching.

Search Menu Options:

# LDAP Filter Syntax
(objectClass=user)
(sAMAccountName=admin)
(memberOf=CN=Administrators,CN=Builtin,DC=domain,DC=com)
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=524))

Scope Levels:

Scope	Behavior
Base	Search only the specified object (testing DN validity)
One Level	Search direct children only (one OU level down)
Subtree	Recursive search from current node downward

Common Searches:

# Find all users
(objectClass=user)

# Find service accounts
(objectClass=user)(servicePrincipalName=*)

# Find inactive accounts (no recent logon)
(&(objectClass=user)(lastLogon<=[old timestamp]))

# Find users with delegation set
(msDS-AllowedToDelegateTo=*)

# Find disabled accounts
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

# Find computers
(objectClass=computer)

# Find groups
(objectClass=group)

Search Results:

• Double-click results to navigate to object
• Right-click results to copy DN or open properties

Snapshots

Create point-in-time snapshots of AD state for offline analysis and comparison.

Creating Snapshots:

# Via GUI
# File > Create Snapshot
# [Select base DN, e.g., dc=domain,dc=com]
# [Wait for scan to complete] > Save snapshot file (.dat)

Command Line Snapshot Creation:

# Create snapshot from command line (requires admin)
ADExplorer.exe -snapshot "" "C:\snapshots\ad-baseline.dat"

# Specify base DN
ADExplorer.exe -snapshot "dc=domain,dc=com" "C:\snapshots\ad-prod.dat"

# Non-interactive mode for automation
ADExplorer.exe -snapshot "" "C:\snapshots\$(Get-Date -f 'yyyy-MM-dd-HHmmss').dat"

Snapshot File Details:

Property	Notes
Format	Binary .dat file (not human-readable)
Size	Varies with AD size (10MB–500MB+)
Portability	Snapshots load offline on any Windows machine with ADExplorer
Timestamped	Filename convention: ad-YYYY-MM-DD-HHMMSS.dat

Snapshot Analysis

Load snapshots offline and compare against current AD or previous snapshots.

Loading a Snapshot:

# File > Open Snapshot
# [Browse to .dat file] > Open
# View read-only snapshot in ADExplorer tree

Comparing Two Snapshots:

# File > Compare Snapshots
# [Select snapshot 1 (baseline)]
# [Select snapshot 2 (current)]
# View comparison report

Comparison Report Shows:

Category	Details
New Objects	Objects added since baseline (new users, computers, groups)
Deleted Objects	Removed objects (deprovisioned accounts, stale computers)
Modified Objects	Changed attributes (group membership, account status, descriptions)
Attribute Changes	Before/after values for each modification

Red Team Analysis:

# Create baseline snapshot Day 1
ADExplorer.exe -snapshot "" "C:\snapshots\ad-day1.dat"

# Create follow-up snapshot Day 7
ADExplorer.exe -snapshot "" "C:\snapshots\ad-day7.dat"

# Compare to detect:
# - New service accounts created (potential persistence)
# - Privilege escalations (group membership changes)
# - Account resets or password changes
# - New AD trusts or delegation settings

Key Attributes to Examine

Critical attributes for AD security assessment and exploitation:

Attribute	Purpose	What to Look For
adminCount	Tracks admin history; 1=protected account	Accounts with 1 = former admins (credential theft targets)
servicePrincipalName	Service account association	Service accounts for AS-REP roasting / Kerberoasting
userAccountControl	Account flags (disabled, MustChangePassword, etc.)	Flags like 524=disabled, 512=enabled
memberOf	Group membership	Domain admins, delegation groups, GPO targets
msDS-AllowedToDelegateTo	Constrained delegation targets	Accounts with delegation abuse potential
lastLogon	Last interactive login	Stale accounts (0 = never logged in)
pwdLastSet	Last password change	Old passwords = weak reset policies
description	Free-form notes field	Cleartext passwords, hints, API keys
mail	Email address	User enumeration, phishing targets
manager	Reports-to relationship	Organizational hierarchy
scriptPath	Logon script path	Potential lateral movement via script modification

Flags in userAccountControl:

# Common values (bit flags):
# 2 = ACCOUNTDISABLE
# 16 = LOCKOUT
# 32 = PASSWD_NOTREQD
# 512 = NORMAL_ACCOUNT
# 524 = NORMAL_ACCOUNT + ACCOUNTDISABLE
# 4096 = WORKSTATION_TRUST_ACCOUNT (computer)
# 8192 = SERVER_TRUST_ACCOUNT (DC)
# 65536 = DONT_EXPIRE_PASSWD
# 131072 = MustChangePassword

Object Classes

Common AD object classes and their purpose:

Class	Purpose	Contains
user	User accounts	Interactive logon accounts, service accounts
computer	Computer objects	Workstations, servers, domain controllers
group	Security/Distribution groups	Users, computers, other groups
organizationalUnit	Container	Users, computers, other OUs
groupPolicyContainer	Group Policy object	Policy settings, access control
trustedDomain	Domain trust relationship	Parent/child domains, external trusts
domainDNS	DNS zone object	Zone records, replication metadata
contact	External contact	Non-AD users (distribution lists)
printQueue	Printer object	Printer shares, drivers, permissions

Favorites

Bookmark frequently accessed AD objects for quick navigation.

Adding Favorites:

# Right-click object in tree > Add to Favorites
# Or: Favorites menu > [object DN]

Favorites Use Cases:

• Bookmark critical OUs (Domain Admins, Tier-0 accounts)
• Track high-privilege group memberships
• Monitor sensitive containers (AdminSDHolder, System)
• Flag objects with interesting attributes (delegation, scripts)

Command Line Options

Automate snapshot creation and integrate with pentesting frameworks.

Option	Syntax	Purpose
-snapshot	-snapshot "baseDN" "outputfile.dat"	Create snapshot non-interactively (requires admin)
-compare	Not supported via CLI	Use GUI for snapshot comparison
-server	-server hostname	Connect to specific server (not commonly used)

Automation Examples:

# Daily baseline snapshots
$date = Get-Date -f 'yyyy-MM-dd'
ADExplorer.exe -snapshot "dc=corp,dc=local" "C:\snapshots\ad-$date.dat"

# Batch snapshot across multiple domains
$domains = @('dc=corp,dc=local', 'dc=subsidiary,dc=local')
foreach ($dn in $domains) {
    $name = $dn -replace 'dc=|,', '_'
    ADExplorer.exe -snapshot "$dn" "C:\snapshots\ad-$name.dat"
}

# Capture snapshot with timestamp for change tracking
$timestamp = Get-Date -f 'yyyy-MM-dd-HHmmss'
ADExplorer.exe -snapshot "" "C:\snapshots\ad-$timestamp.dat"

Red Team Use Cases

ADExplorer capabilities for offensive AD assessment.

Reconnaissance:

• Browse AD tree to map organizational structure
• Identify high-value targets (tier-0 admins, service accounts)
• Extract email addresses, groups, computer names for phishing
• Find stale accounts (weak resets, forgotten credentials)

Snapshot-Based Analysis:

# Baseline snapshot pre-compromise
# Exfiltrate snapshot to attacker machine
# Long-term monitoring: Compare Week 1 → Week 4 snapshots
# Detect: New persistence accounts, privilege escalation, domain trusts

Attribute Mining:

• Search description fields for passwords, API keys, secrets
• Identify servicePrincipalName targets for Kerberoasting
• Find msDS-AllowedToDelegateTo for delegation abuse
• Check scriptPath for logon script lateral movement
• Enumerate group memberships for privilege analysis

Offline Analysis:

• Exfiltrate snapshot files from domain
• Load on non-domain machine with ADExplorer
• Analyze offline without detection (no LDAP queries logged on DC)
• Compare multiple snapshots to track persistence

Troubleshooting

Issue	Cause	Solution
”Could not contact server”	DC unreachable, firewall blocking port 389	Verify DC IP, port 389/636 accessible, correct credentials
”Access Denied” on snapshot	Non-admin user trying to snapshot sensitive attributes	Run ADExplorer as admin or use authenticated domain account
Snapshot creation hangs	Large AD, network latency	Allow more time or reduce scope (specify base OU)
Comparison shows no changes	Snapshots taken at same time or filtered view	Create new baseline, verify full subtree scope selected
Attributes missing/truncated	LDAP size limit exceeded	Reduce query scope or adjust DC LDAP policy
Cannot load snapshot file	Corrupted .dat or version mismatch	Re-create snapshot; ensure consistent ADExplorer version

Best Practices

• Regular Baselines: Create weekly snapshots for change detection and anomaly tracking
• Secure Snapshots: Snapshots contain sensitive AD data; store encrypted or restricted
• Authenticated Access: Use explicit domain credentials for comprehensive attribute access
• Offline Analysis: Export snapshots for analysis on secure analyst machine (no domain access)
• Scope Limiting: For large forests, snapshot specific OUs instead of entire tree (faster, smaller files)
• Timestamped Naming: Use consistent naming convention (e.g., ad-YYYY-MM-DD-HHmmss.dat) for tracking
• Comparison Frequency: Compare snapshots at regular intervals to detect unauthorized changes
• Documentation: Record snapshot dates, scope, and any findings for audit trail

Related Tools

Tool	Purpose
BloodHound	AD visualization, attack path analysis, privilege relationships
PowerView	PowerShell AD enumeration, detailed attribute queries, delegation discovery
ADFind	Command-line LDAP queries, scriptable AD enumeration, attribute export
ldapdomaindump	LDAP domain information dump, offline analysis, HTML reports
ADRecon	Comprehensive AD reconnaissance, Excel-based reporting, security gaps
Get-ADObject	PowerShell native AD cmdlet for attribute inspection and filtering
ldapsearch	Native LDAP client, portable, scriptable AD queries
Impacket (GetADUsers.py)	Python-based AD enumeration, no agent required