O365Undo is a great script you can use to roll back actions of your user(s) in Office 365. Most likely, actions your user wasn’t aware of but were actually done by a CryptoLocker or by RansomWare. These nasty virusses can cause havoc on your mapped or synced Sharepoint Online or Onedrive for Business libraries in the form of file level encryption or file name obfuscation.
O365Undo requires that you have enabled the Unified Audit Log in Office 365.
If you have done so, O365Undo can reverse the following actions your user took in Onedrive, Sharepoint or an Office 365 Group up till a given date (max time back is when you enabled the Universal Audit Log):
How to use
- Install the Sharepoint Client Components
- Identify the login of the user you wish to target, e.g.: firstname.lastname@example.org
- Identity the moment in time you want to go back to (your local time in MM-DD-YYYY HH:MM:SS format)
- Do not let the user Modify anything for 15-30 minutes (UA log sync time)
- Run the script: .\O365Undo.ps1 -affectedUserLogin email@example.com -infectionDateTime “05-13-2016 00:00:00” -login “firstname.lastname@example.org” -password “Welcome123”
- View the screen and/or log in %Appdata% for the results
What it won’t (yet) do:
- restore deleted files from the recycle bin
- check files back in when checked out
- delete new files
- rename / move folders
Use at your own risk, this is not a commercial product and I offer no guarantees whatsoever.
O365Undo_V0.5.ps1 (right click, save as)