Doug And you don't force administrators to change the default Mid Tier password, which is the most relevant starting point for abuse given everything else is basically hidden from a web client.
And you haven't made the "disable User" radio do what it says on the tin, ie disable a user, which will leave an administrator scratching their head when they believe that clicking disable will disable a user. And allowing run process to actually run a process is perhaps the craziest thing one would enable on an Internet facing deployment. And the password management stuff is kind of irrelevant if a user has no password, ie when SSO is enabled. So there's some improvements for 8.2. John _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"