Return
-
Title
Defender Desktop Token cannot be unassigned from a user account in Active Directory (AD) -
Description
A Defender Desktop Token cannot be unassigned from a user account in AD. When selecting "Unassign" from the Defender tab on the user's properties an administrator is prompted to confirm deletion of the token. However, upon selecting "Yes", the token cannot be unassigned.
-
Cause
The token has already been deleted from the "Tokens" OU in AD. Selecting to delete the token is putting AD in a loop where it cannot find the token and therefore cannot complete the removal process.
-
Resolution
Instead of selecting to delete the token when unassigning it, just leave it as is. Or alternately, before manually deleting token objects from AD, be sure they are not assigned to a user. Tokens can be unassigned from the token object itself or from the user object.