DirSync: How To Avoid Syncing Accidental Deletes To The Cloud Directory
Note
For feedback, click here
Accidental deletions can have a huge negative impact on your environment; especially, if they are synchronized to your Azure Active directory.
One indicator for accidental deletions is a high number of staged deletions.
To minimize the impact of accidental deletions, the Directory Sync tool provides you with a feature that enables you to set a threshold for staged deletions.
If the number of staged deletions exceeds your configured threshold, the Directory Sync tool considers the staged deletions to be accidental or unwanted deletions.
In this case, all staged deletions in a processing cycle are not synchronized to Azure Active directory.
The objective of this article is to explain how to manage this feature.
Note: This article is for DirSync. If you are using Azure AD Connect, please visit https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-feature-prevent-accidental-deletes/ instead.
Setup
To enable the feature, you can use the directory synchronization Windows PowerShell cmdlet .
The cmdlet is installed when you install the Directory Sync tool.
To enable prevention of accidental deletes, perform the following steps:
Open PowerShell, and then type Import-Module DirSync
Type the following command, and then press ENTER
Set-PreventAccidentalDeletes -Enable –ObjectDeletionThreshold <Integer>
Error Handling
When the total number of deletes planned for a sync cycle is more than the ObjectDeletionThreshold value that you have set, you receive an email.
You can look at all the pending deletes that were prevented from syncing by performing the following steps:
On the computer that is running the Directory Sync tool, navigate to the directory synchronization installation folder.
By default, it is located here: %programfiles%\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell (the location depends on the version you have installed).
Double-click on miisclient.exe.
Select Management Agents tab
Right click on the Windows Azure Active Directory Connector management agent, and click on Search Connector Space.
In the window that pops up, set the Scope to Disconnected Since and click Search.
The objects that have been suppressed for deletion will appear.
If all the deletes in the above list are desired, then use the following steps to disable the threshold:
Open PowerShell, and then type Import-Module DirSync
In the Windows PowerShell window, type the following and then press ENTER:
Set-PreventAccidentalDeletes –Disable
Run a Full Synchronization
If the deletes are not desired, then perform an authoritative restore of the items.