Azure AD Connect 同步:启用 AD 回收站Azure AD Connect sync: Enable AD recycle bin

建议为同步到 Azure AD 的本地 Active Directory 启用 AD 回收站功能。It is recommended that you enable the AD Recycle Bin feature for your on-premises Active Directories, which are synchronized to Azure AD.

如果意外删除了本地 AD 用户对象并使用该功能进行还原,Azure AD 将还原相应的 Azure AD 用户对象。If you accidentally deleted an on-premises AD user object and restore it using the feature, Azure AD restores the corresponding Azure AD user object. 有关 AD 回收站功能的信息,请参阅文章 Scenario Overview for Restoring Deleted Active Directory Objects(还原已删除 Active Directory 对象的方案概述)。For information about the AD Recycle Bin feature, refer to article Scenario Overview for Restoring Deleted Active Directory Objects.

启用 AD 回收站的好处Benefits of enabling the AD recycle bin

此功能可通过执行以下操作,帮助还原 Azure AD 用户对象:This feature helps with restoring Azure AD user objects by doing the following:

  • 如果意外删除了本地 AD 用户对象,会在下一同步周期中删除相应的 Azure AD 用户对象。If you accidentally deleted an on-premises AD user object, the corresponding Azure AD user object will be deleted in the next sync cycle. 默认情况下,Azure AD 会以软删除状态保存已删除的 Azure AD 用户对象 30 天。By default, Azure AD keeps the deleted Azure AD user object in soft-deleted state for 30 days.

  • 如果已启用本地 AD 回收站功能,则可还原已删除的本地 AD 用户对象,而不更改其源定位点值。If you have on-premises AD Recycle Bin feature enabled, you can restore the deleted on-premises AD user object without changing its Source Anchor value. 将恢复的本地 AD 用户对象同步到 Azure AD 后,Azure AD 将还原已软删除的相应 Azure AD 用户对象。When the recovered on-premises AD user object is synchronized to Azure AD, Azure AD will restore the corresponding soft-deleted Azure AD user object. 有关源定位点特性的信息,请参阅文章 Azure AD Connect:设计概念For information about Source Anchor attribute, refer to article Azure AD Connect: Design concepts.

  • 如果没有启用本地 AD 回收站功能,可能需要创建一个 AD 用户对象来替换已删除的对象。If you do not have on-premises AD Recycle Bin feature enabled, you may be required to create an AD user object to replace the deleted object. 如果将 Azure AD Connect Synchronization Service 配置为对源定位点特性使用系统生成的 AD 特性(如 ObjectGuid),则新创建的 AD 用户对象与已删除的 AD 用户对象所具有的源定位点值会不同。If Azure AD Connect Synchronization Service is configured to use system-generated AD attribute (such as ObjectGuid) for the Source Anchor attribute, the newly created AD user object will not have the same Source Anchor value as the deleted AD user object. 将新创建的 AD 用户对象同步到 Azure AD 中时,Azure AD 会创建一个新的 Azure AD 用户对象,而不是还原已软删除的 Azure AD 用户对象。When the newly created AD user object is synchronized to Azure AD, Azure AD creates a new Azure AD user object instead of restoring the soft-deleted Azure AD user object.

备注

默认情况下,Azure AD 会以软删除状态保留已删除的 Azure AD 用户对象 30 天,然后才会将其永久删除。By default, Azure AD keeps deleted Azure AD user objects in soft-deleted state for 30 days before they are permanently deleted. 但管理员可加快此类对象的删除。However, administrators can accelerate the deletion of such objects. 对象永久删除后,即使已启用本地 AD 回收站功能,也无法再进行恢复。Once the objects are permanently deleted, they can no longer be recovered, even if on-premises AD Recycle Bin feature is enabled.

后续步骤Next steps

概述主题Overview topics