Removing user from a trusted domain in Authorization Manager (AzMan) fails with error "Cannot complete this function"

Applies to: Windows Server 2008 EnterpriseWindows Server 2008 R2 DatacenterWindows Server 2008 R2 Standard

Symptoms


Trying to remove a user of a trusted Domain from an Application Group in AzMAn.MSC snap-in fails with this error message:


Authorization Manager
Cannot save one or more changes. The following problem occurred: Cannot complete this function.


Cause


This is a known problem within AzMan.msc in the mentioned products.

Resolution


To work around this problem, you can remove the user/group by using ADSIEdit.msc.

To perform the work around, launch ADSIEdit.msc and connect to the naming context where the AzMan Store is placed in the Active Directory (Usually this is CN=Program Data,DC=contoso,DC=com), where contoso is your domain name.

Locate the Store in the container and navigate to the AzGroupObjectContainer-StoreName of the store.

Inside, there should be an object representing the Application Group you want to remove the foreign user from.

Select "Properties" of the object and browse down to the "member" attribute.

By double-clicking the attribute, you can change the members of the Application Group and you can successfully remove the user who fails in AzMan.msc


More Information


To avoid this work around in the future, do not directly add members of trusted domains to an Application group. Instead, create a Domain Local Group in the domain where the Authorization store is placed, and add the foreign users to this group. Then Add this Domain Local Group to the Application Group in AzMan.msc