John, I don't disagree with you. I think if BMC added account management fields that state an account must change its password, or is disabled, then the server should be checking that stuff...not the client....but I'm not BMC and I'm sure they had their reasons for designing it the way they did. :)
-----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of John Baker Sent: Tuesday, January 25, 2011 10:07 AM To: arslist@ARSLIST.ORG Subject: Force Password Change On Login Jack: I probably meant the disabled field. LJ: I don't think it's good design to add random fields and then make the client check them. It's clearly insecure by encouraging administrators to set 'disabled' or 'user must change password' and find users don't have to do so. The disabled option being ignored by the server is the serious issue: an account marked as disabled should be disabled, without the need for SSO Plugin to finish the job. I'm sure BMC will take this on board if they have not already. John ____________________________________________________________________________ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are"