Azure AD Connect 同步:防止意外删除Azure AD Connect sync: Prevent accidental deletes

本主题说明 Azure AD Connect 中的防止意外删除功能。This topic describes the prevent accidental deletes (preventing accidental deletions) feature in Azure AD Connect.

安装 Azure AD Connect 时,将默认启用防止意外删除功能,并将其配置为不允许超过 500 个删除项目的导出。When installing Azure AD Connect, prevent accidental deletes is enabled by default and configured to not allow an export with more than 500 deletes. 此功能旨在防止发生意外的配置更改,以及防止发生影响许多用户和其他对象的本地目录更改。This feature is designed to protect you from accidental configuration changes and changes to your on-premises directory that would affect many users and other objects.

什么是防止意外删除?What is prevent accidental deletes

经常出现删除操作的场景包括:Common scenarios when you see many deletes include:

  • 在取消选择整个 OU的情况下更改筛选设置。Changes to filtering where an entire OU or domain is unselected.
  • 删除了 OU 中的所有对象。All objects in an OU are deleted.
  • 对某个 OU 进行了重命名,因此其中的所有对象被视为超出同步范围。An OU is renamed so all objects in it are considered to be out of scope for synchronization.

可以通过 PowerShell 使用 Enable-ADSyncExportDeletionThreshold(这是随 Azure Active Directory Connect 安装的 AD Sync 模块的一部分)更改默认值 500 个对象。The default value of 500 objects can be changed with PowerShell using Enable-ADSyncExportDeletionThreshold, which is part of the AD Sync module installed with Azure Active Directory Connect. 应对此值进行配置以适合组织的规模。You should configure this value to fit the size of your organization. 由于同步计划程序每隔 30 分钟运行一次,因此该值是 30 分钟内看到的删除数目。Since the sync scheduler runs every 30 minutes, the value is the number of deletes seen within 30 minutes.

如果暂存了太多要导出到 Azure AD 的删除项目,就不会继续导出,并且会收到一封内容如下所示的电子邮件:If there are too many deletes staged to be exported to Azure AD, then the export stops and you receive an email like this:

有关防止意外删除的电子邮件

你好(技术联系人)。标识同步服务在(时间)检测到删除数目超过了为(组织名称)配置的删除阈值。在此次标识同步运行期间,总共已发送(数目)个对象进行删除。这达到或超过了配置的删除阈值,即(数目)个对象。在继续之前,我们需要你确认应该处理这些删除。有关此电子邮件中所列错误的详细信息,请参阅“防止意外删除”。Hello (technical contact). At (time) the Identity synchronization service detected that the number of deletions exceeded the configured deletion threshold for (organization name). A total of (number) objects were sent for deletion in this Identity synchronization run. This met or exceeded the configured deletion threshold value of (number) objects. We need you to provide confirmation that these deletions should be processed before we will proceed. Please see the preventing accidental deletions for more information about the error listed in this email message.

在 Synchronization Service Manager UI 中查看导出配置文件时,还可以看到状态 stopped-deletion-threshold-exceededYou can also see the status stopped-deletion-threshold-exceeded when you look in the Synchronization Service Manager UI for the Export profile. 有关防止意外删除的 Sync Service Manager UIPrevent Accidental deletes Sync Service Manager UI

如果这是意外情况,请进行调查,并采取纠正措施。If this was unexpected, then investigate and take corrective actions. 要查看哪些对象即将被删除,请执行以下操作:To see which objects are about to be deleted, do the following:

  1. 从“开始”菜单启动“同步服务”。 Start Synchronization Service from the Start Menu.
  2. 转到“连接器”。 Go to Connectors.
  3. 选择 Azure Active Directory类型的连接器。Select the Connector with type Azure Active Directory.
  4. 在右侧的“操作”下,选择“搜索连接器空间”。 Under Actions to the right, select Search Connector Space.
  5. 在“范围”下的弹出框中选择“连接断开起始时间”,并选择过去的一个时间。 In the pop-up under Scope, select Disconnected Since and pick a time in the past. 单击“搜索”。 Click Search. 可以在此页上查看所有即将删除的对象。This page provides a view of all objects about to be deleted. 单击每个项可以获取有关该对象的更多信息。By clicking each item, you can get additional information about the object. 也可以单击“列设置”,添加要在网格中显示的其他属性。 You can also click Column Setting to add additional attributes to be visible in the grid.

搜索连接器空间

[!NOTE] 如果你不确定所有删除是否都是必需的,并且希望使用更安全的方法。If you aren't sure all deletes are desired, and wish to go down a safer route. 可以使用 PowerShell cmdlet:Enable-ADSyncExportDeletionThreshold 来设置新阈值,而不是禁用可能允许不需要的删除的阈值。You can use the PowerShell cmdlet : Enable-ADSyncExportDeletionThreshold to set a new threshold rather than disabling the threshold which could allow undesired deletions.

如果想要查看所有删除项,请执行以下操作:If all the deletes are desired, then do the following:

  1. 若要检索当前的删除阈值,请运行 PowerShell cmdlet Get-ADSyncExportDeletionThresholdTo retrieve the current deletion threshold, run the PowerShell cmdlet Get-ADSyncExportDeletionThreshold. 提供 Azure AD 全局管理员帐户和密码。Provide an Azure AD Global Administrator account and password. 默认值为 500。The default value is 500.
  2. 若要暂时禁用此保护并允许删除这些项,请运行 PowerShell cmdlet: Disable-ADSyncExportDeletionThresholdTo temporarily disable this protection and let those deletes go through, run the PowerShell cmdlet: Disable-ADSyncExportDeletionThreshold. 提供 Azure AD 全局管理员帐户和密码。Provide an Azure AD Global Administrator account and password. 凭据Credentials
  3. 如果 Azure Active Directory 连接器仍被选中,请选择“运行”操作,再选择“导出”。 With the Azure Active Directory Connector still selected, select the action Run and select Export.
  4. 若要重新启用保护,请运行 PowerShell cmdlet: Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500To re-enable the protection, run the PowerShell cmdlet: Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500. 检索当前的删除阈值时,请将 500 替换成看到的值。Replace 500 with the value you noticed when retrieving the current deletion threshold. 提供 Azure AD 全局管理员帐户和密码。Provide an Azure AD Global Administrator account and password.

后续步骤Next steps

概述主题Overview topics