I know this has been discussed in the past years ago now such as here, but is there a way yet that users can be prevented from using self sign up via email confirmation or attempting to change their password (which won't work) when Active Directory LDAP authentication is being used ?

I only want Active Directory LDAP authenticated users to be able to log in, I don't want other random people who can email the helpdesk email address to be able to sign themselves up and then be able to access things such as the knowledge base for example.

Changing registration method to private doesn't solve the issue - while it prevents random people from doing self sign up it also prevents Active Directory LDAP accounts from being "auto-created" on the fly the first time they authenticate, and I have no desire to manually import users via CSV etc when the auto-creation via LDAP works just fine.

Has anyone found a solution to this ? About all I can think of so far is creating an IIS rewrite rule which will redirect attempts to go to account.php back to index.php so users can't actually use that page. (Deleting the page would be a bit harsh I think. ) Is this likely to work and not interfere with anything else ?

I don't particularly want people trying to edit their profiles either as their phone numbers etc are pulled from Active Directory as well so I don't see any need to allow access to account.php when users will be exclusively Active Directory LDAP users.

Has anyone else gone down this path of banning / redirecting access to account.php or found a better solution ?