用户隐私和 Azure AD ConnectUser privacy and Azure AD Connect

Note

本文介绍如何删除设备或服务中的个人数据,并且可为 GDPR 下的任务提供支持。This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. 如需关于 GDPR 的常规信息,请参阅服务信任门户的 GDPR 部分If you're looking for general info about GDPR, see the GDPR section of the Service Trust portal.

Note

本文介绍 Azure AD Connect 和用户隐私。This article deals with Azure AD Connect and user privacy.

可通过以下两种方式提高 Azure AD Connect 安装的用户隐私:Improve user privacy for Azure AD Connect installations in two ways:

  1. 根据请求提取用户的数据以及从安装项中删除该用户的数据Upon request, extract data for a person and remove data from that person from the installations
  2. 确保数据保留时长均不超过 48 小时。Ensure no data is retained beyond 48 hours.

Azure AD Connect 团队建议使用第二个选项,因为它更易于实施和维护。The Azure AD Connect team recommends the second option since it is much easier to implement and maintain.

Azure AD Connect 同步服务器可存储以下用户隐私数据:An Azure AD Connect sync server stores the following user privacy data:

  1. Azure AD Connect 数据库中的用户相关数据Data about a person in the Azure AD Connect database
  2. Windows 事件日志文件中可能包含用户相关信息的数据Data in the Windows Event log files that may contain information about a person
  3. Azure AD Connect 安装日志文件中可能包含用户信息的数据Data in the Azure AD Connect installation log files that may contain about a person

删除用户数据时,Azure AD Connect 客户应遵循以下准则:Azure AD Connect customers should use the following guidelines when removing user data:

  1. 定期删除包含 Azure AD Connect 安装日志文件的文件夹中的内容——至少每 48 小时删除一次Delete the contents of the folder that contains the Azure AD Connect installation log files on a regular basis - at least every 48 hours
  2. 此产品还可创建事件日志。This product may also create Event Logs. 要深入了解事件日志,请参阅此处的文档To learn more about Event Logs logs, please see the documentation here.

当从生成用户数据的源系统中删除此用户数据时,会自动删除 Azure AD Connect 数据库中的此数据。Data about a person is automatically removed from the Azure AD Connect database when that person’s data is removed from the source system where it originated from. 管理员无需执行特定操作既能保证符合 GDPR。No specific action from administrators is required to be GDPR compliant. 但是,至少每两天需要将 Azure AD Connect 数据与数据源进行同步一次。However, it does require that the Azure AD Connect data is synced with your data source at least every two days.

删除 Azure AD Connect 安装日志文件文件夹内容Delete the Azure AD Connect installation log file folder contents

定期检查和删除 c:\programdata\aadconnect 文件夹中的内容,但保留 PersistedState.Xml 文件。Regularly check and delete the contents of c:\programdata\aadconnect folder - except for the PersistedState.Xml file. 此文件会保留 Azure A Connect 先前安装的状态,并在进行升级安装时使用。This file maintains the state of the previous installation of Azure A Connect and is used when an upgrade installation is performed. 此文件不包含任何用户数据,不得删除。This file doesn't contain any data about a person and shouldn't be deleted.

Important

请勿删除 PersistedState.xml 文件。Do not delete the PersistedState.xml file. 此文件不包含任何用户信息,仅保存先前安装的状态。This file contains no user information and maintains the state of the previous installation.

可使用 Windows 资源管理器查看和删除这些文件,也可使用如下脚本执行必需的操作:You can either review and delete these files using Windows Explorer or you can use a script like the following to perform the necessary actions:

$Files = ((Get-childitem -Path "$env:programdata\aadconnect" -Recurse).VersionInfo).FileName
Foreach ($file in $files) {
If ($File.ToUpper() -ne "$env:programdata\aadconnect\PERSISTEDSTATE.XML".toupper()) # Do not delete this file
    {Remove-Item -Path $File -Force}
    } 

将此脚本设置为每 48 小时运行一次Schedule this script to run every 48 hours

请使用以下步骤将脚本设置为每 48 小时运行一次。Use the following steps to schedule the script to run every 48 hours.

  1. 将脚本保存在扩展名为 .PS1 的文件中,然后打开控制面板并单击“系统和安全”。Save the script in a file with the extension .PS1, then open the Control Panel and click on Systems and Security. 系统System

  2. 在“管理工具”标题下,单击“安排任务”。Under the Administrative Tools heading, click on Schedule Tasks. TaskTask

  3. 在任务计划程序中,右键单击“任务计划库”,再单击“创建基本任务...”In Task Scheduler, right click on Task Schedule Library and click on Create Basic task…

  4. 输入新任务的名称,然后单击“下一步”。Enter the name for the new task and click Next.

  5. 针对任务触发器选择“每日”,再单击“下一步”。Select Daily for the task trigger and click on Next.

  6. 将重复周期设置为“两天”并单击“下一步”。Set the recurrence to 2 days and click Next.

  7. 选择“启动项目”作为操作,并单击“下一步”。Select Start a program as the action and click on Next.

  8. 在“程序/脚本”框中键入 PowerShell,在标记为“添加参数(可选)”的框中输入之前创建的脚本的完整路径,然后单击“下一步”。Type PowerShell in the box for the Program/script, and in box labeled Add arguments (optional), enter the full path to the script that you created earlier, then click Next.

  9. 下一屏幕会显示要创建的任务摘要。The next screen shows a summary of the task you are about to create. 验证各个值,然后单击“完成”以创建任务。Verify the values and click Finish to create the task.

后续步骤Next steps