I'm probably missing something obvious, here, and just not phrasing my searches of the Guide correctly, but what's the best way to lock user accounts? I have some administrative holds, adjuncts who aren't currently under contract but may teach again, etc., whose access I need to temporarily disable without the side effects of deleting. I don't want information to disappear; I just need them to not be able to login.
For most users we use SSO, and that's easy: we disable them in AD. But we also have a class of users with Canvas-only accounts using native login, and that's less obvious: if I just change their passwords they can reset them.
You're correct if you just change the password the user can reset them. I can think of a couple things you can do.
You could look at using the #last user access to monitor when users were last logged into Canvas.
We change the username in the user's account. This way, even if they try to select the reset password option, the username they enter is not an option. That seems to work for us.