Rolling back changes

Active Directory Auditing allows you to reverse unwanted or suspicious changes directly from the audit log. This enables rapid response to security incidents, misconfigurations, or accidental changes—without needing to perform a full restore.

What is rollback?

Rollback uses captured audit data to revert a change back to its previous state.

Each audit event contains:

• What changed

• The previous value

• The new value

• The target object

Using this information, the system applies the inverse operation to Active Directory.

Supported rollback scenarios

Rollback is most effective for attribute and membership changes, including:

Common supported scenarios

• Removing a user from a privileged group (e.g., Domain Admins)

• Reverting user account changes (enable/disable, attribute updates)

• Reverting group membership changes

• Undoing permission or delegation changes (where sufficient data is captured)

• Reverting configuration changes such as GPO links

Not supported (or limited) scenarios

Some changes cannot be reliably rolled back from audit data alone:

• Object lifecycle operations

  • Object creation (cannot "un-create" safely)

  • Object deletion (requires restore, not rollback)

• Complex or chained operations

  • Changes where the original object no longer exists

  • Multi-step changes performed across different events without correlation

• Partial support

  • Permission changes (depends on captured detail)

  • Linked attributes (For example, manager relationships)

In these cases, use Active Directory restore workflows instead.

How rollback works

At a high level:

1. You select one or more audit events

2. The system:

3. Retrieves event details from the audit store

4. Builds a rollback plan (restore vector)

5. Determines the appropriate domain controller

6. A rollback job is executed

7. The change is applied back to Active Directory

Performing a rollback

Roll back a single change

1. Locate the event in the Events table.

2. Open the action menu.

3. Select Rollback.

4. Review the change details.

5. Click Submit.

Roll back multiple changes

1. Select multiple events.

2. Click Rollback.

3. Review impacted objects.

4. Submit the rollback job.

Roll back using filters

You can also:

• Filter events (For example, by user, time range)

• Roll back all matching changes in bulk

Important considerations

1. Review before rollback

   Rollback directly modifies Active Directory. Always verify:

   • The change is truly unwanted

   • The impact of reverting it

   • Dependencies (group membership, permissions, etc.)

2. Privileged access required

   Rollback operations require sufficient permissions to:

   • Modify AD objects

   • Change group membership

   • Update security settings

3. Rollback is audited

   Rollback actions themselves are tracked as new audit events, ensuring:

   • Full traceability

   • Clear distinction between user actions and system-driven recovery

4. Domain controller selection

   Rollback may execute on a different DC than the original change if needed (for availability).

Best practices

• Use rollback for targeted corrections, not broad recovery

• Prefer rollback for:

• Privilege escalations

• Suspicious changes

• Misconfigurations

• Use restore workflows for:

• Deleted objects

• Large-scale recovery

• Disaster scenarios