Jack: I probably meant the disabled field. LJ: I don't think it's good design to add random fields and then make the client check them. It's clearly insecure by encouraging administrators to set 'disabled' or 'user must change password' and find users don't have to do so. The disabled option being ignored by the server is the serious issue: an account marked as disabled should be disabled, without the need for SSO Plugin to finish the job. I'm sure BMC will take this on board if they have not already.
John _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are"
