Azure AD Connect 同步:启用 AD 回收站Azure AD Connect sync: Enable AD recycle bin

建议为同步到 Azure AD 的本地 Active Directory 启用 AD 回收站功能。It is recommended that you enable the AD Recycle Bin feature for your on-premises Active Directories, which are synchronized to Azure AD.

如果用户意外删除了某个本地 AD 用户对象,并且该功能还原该对象,Azure AD 会还原相应的 Azure AD 用户对象。If you accidentally deleted an on-premises AD user object and restore it using the feature, Azure AD restores the corresponding Azure AD user object. 有关 AD 回收站功能的信息,请参阅有关还原已删除的 Active Directory 对象的方案概述一文。For information about the AD Recycle Bin feature, refer to article Scenario Overview for Restoring Deleted Active Directory Objects.

启用 AD 回收站的好处Benefits of enabling the AD recycle bin

此功能通过以下方式帮助还原 Azure AD 用户对象:This feature helps with restoring Azure AD user objects by doing the following:

  • 如果你意外删除了某个本地 AD 用户对象,相应的 Azure AD 用户对象会在下一同步周期被删除。If you accidentally deleted an on-premises AD user object, the corresponding Azure AD user object will be deleted in the next sync cycle. 默认情况下,Azure AD 会以软删除状态保存已删除的 Azure AD 用户对象 30 天。By default, Azure AD keeps the deleted Azure AD user object in soft-deleted state for 30 days.

  • 如果已启用本地 AD 回收站功能,无需更改已删除的本地 AD 用户对象的“源定位点”值,即可将它还原。If you have on-premises AD Recycle Bin feature enabled, you can restore the deleted on-premises AD user object without changing its Source Anchor value. 将恢复的本地 AD 用户对象同步到 Azure AD 后,Azure AD 将还原已软删除的相应 Azure AD 用户对象。When the recovered on-premises AD user object is synchronized to Azure AD, Azure AD will restore the corresponding soft-deleted Azure AD user object. 有关“源定位点”属性的信息,请参阅 Azure AD Connect:设计概念一文。For information about Source Anchor attribute, refer to article Azure AD Connect: Design concepts.

  • 如果未启用本地 AD 回收站功能,可能需要创建一个 AD 用户对象来替换已删除的对象。If you do not have on-premises AD Recycle Bin feature enabled, you may be required to create an AD user object to replace the deleted object. 如果 Azure AD Connect 同步服务配置为对“源定位点”属性使用系统生成的 AD 属性(例如 ObjectGuid),则新建的 AD 用户对象与已删除的 AD 用户对象的“源定位点”值不相同。If Azure AD Connect Synchronization Service is configured to use system-generated AD attribute (such as ObjectGuid) for the Source Anchor attribute, the newly created AD user object will not have the same Source Anchor value as the deleted AD user object. 新建的 AD 用户对象同步到 Azure AD 后,Azure AD 会创建新的 Azure AD 用户对象,而不是还原处于软删除状态的 Azure AD 用户对象。When the newly created AD user object is synchronized to Azure AD, Azure AD creates a new Azure AD user object instead of restoring the soft-deleted Azure AD user object.

Note

默认情况下,Azure AD 会将处于软删除状态中的已删除 Azure AD 用户对象保留 30 天,此期限过后,会永久删除这些对象。By default, Azure AD keeps deleted Azure AD user objects in soft-deleted state for 30 days before they are permanently deleted. 但是,管理员可以提前删除此类对象。However, administrators can accelerate the deletion of such objects. 永久删除这些对象后,即使已启用在本地 AD 回收站功能,也不再可以恢复它们。Once the objects are permanently deleted, they can no longer be recovered, even if on-premises AD Recycle Bin feature is enabled.

后续步骤Next steps

概述主题Overview topics