diff --git a/include/class.client.php b/include/class.client.php
index 707418456e3e15b1ebefc53d2f10d0ba360b258d..3ad25fa3947e6001cc3d7c0a3f73e97ff16cc1b5 100644
--- a/include/class.client.php
+++ b/include/class.client.php
@@ -306,12 +306,6 @@ class ClientAccount extends UserAccount {
         unset($_SESSION['_client']['reset-token']);
     }
 
-    function getInfo() {
-        $base = parent::getInfo();
-        $base['tz_offset'] = $this->timezone;
-        return $base;
-    }
-
     function update($vars, &$errors) {
         $rtoken = $_SESSION['_client']['reset-token'];
         if ($vars['passwd1'] || $vars['passwd2'] || $vars['cpasswd'] || $rtoken) {
@@ -362,7 +356,7 @@ class ClientAccount extends UserAccount {
             $info = array('password' => $vars['passwd1']);
             Signal::send('auth.pwchange', $this, $info);
             $this->cancelResetTokens();
-            $this->_clearStatus(self::PASSWD_RESET_REQUIRED);
+            $this->clearStatus(self::REQUIRE_PASSWD_RESET);
         }
 
         return $this->save();
diff --git a/include/class.user.php b/include/class.user.php
index ba4a19401827f5216d977f92e333984794e5a7c6..97335063c8062e1ac4fd0b23546992a0135b1eef 100644
--- a/include/class.user.php
+++ b/include/class.user.php
@@ -547,7 +547,8 @@ class UserAccount extends UserAccountModel {
 
     const CONFIRMED             = 0x0001;
     const LOCKED                = 0x0002;
-    const PASSWD_RESET_REQUIRED = 0x0004;
+    const REQUIRE_PASSWD_RESET  = 0x0004;
+    const FORBID_PASSWD_RESET   = 0x0008;
 
     protected function hasStatus($flag) {
         return 0 !== ($this->get('status') & $flag);
@@ -580,12 +581,16 @@ class UserAccount extends UserAccountModel {
     }
 
     function forcePasswdReset() {
-        $this->setStatus(self::PASSWD_RESET_REQUIRED);
+        $this->setStatus(self::REQUIRE_PASSWD_RESET);
         return $this->save();
     }
 
     function isPasswdResetForced() {
-        return $this->hasStatus(self::PASSWD_RESET_REQUIRED);
+        return $this->hasStatus(self::REQUIRE_PASSWD_RESET);
+    }
+
+    function isPasswdResetEnabled() {
+        return !$this->hasStatus(self::FORBID_PASSWD_RESET);
     }
 
     function hasPassword() {
@@ -737,15 +742,16 @@ class UserAccount extends UserAccountModel {
         }
 
         // Set flags
-        if ($vars['pwreset-flag'])
-            $this->setStatus(self::PASSWD_RESET_REQUIRED);
-        else
-            $this->clearStatus(self::PASSWD_RESET_REQUIRED);
-
-        if ($vars['locked-flag'])
-            $this->setStatus(self::LOCKED);
-        else
-            $this->clearStatus(self::LOCKED);
+        foreach (array(
+                'pwreset-flag'=>        self::REQUIRE_PASSWD_RESET,
+                'locked-flag'=>         self::LOCKED,
+                'forbid-pwchange-flag'=> self::FORBID_PASSWD_RESET
+        ) as $ck=>$flag) {
+            if ($vars[$ck])
+                $this->setStatus($flag);
+            else
+                $this->clearStatus($flag);
+        }
 
         return $this->save(true);
     }
@@ -794,7 +800,7 @@ class UserAccount extends UserAccountModel {
             $account->set('passwd', Password::hash($vars['passwd1']));
             $account->setStatus(self::CONFIRMED);
             if ($vars['pwreset-flag'])
-                $account->setStatus(self::PASSWD_RESET_REQUIRED);
+                $account->setStatus(self::REQUIRE_PASSWD_RESET);
         }
 
         $account->save(true);
diff --git a/include/client/profile.inc.php b/include/client/profile.inc.php
index d5651031cdaac3a0a5975edd862384a18d69bfe6..8586c3976f1a117c4887b44670e905c1ee073b8f 100644
--- a/include/client/profile.inc.php
+++ b/include/client/profile.inc.php
@@ -50,6 +50,7 @@ if ($acct = $thisclient->getAccount()) {
         <em>(Current Time: <strong><?php echo Format::date($cfg->getDateTimeFormat(),Misc::gmtime(),$info['tz_offset'],$info['dst']); ?></strong>)</em>
     </td>
 </tr>
+<?php if ($acct->isPasswdResetEnabled()) { ?>
 <tr>
     <td colspan=2">
         <div><hr><h3>Access Credentials</h3></div>
@@ -85,6 +86,7 @@ if ($acct = $thisclient->getAccount()) {
     </td>
 </tr>
 <?php } ?>
+<?php } ?>
 </table>
 <hr>
 <p style="text-align: center;">
diff --git a/include/staff/templates/user-account.tmpl.php b/include/staff/templates/user-account.tmpl.php
index 5a08e8e4cf3696c44efbdcd59d3a5530b7850dfd..8304d8afa975f9d08c48ff1e0717f6e0308eb907 100644
--- a/include/staff/templates/user-account.tmpl.php
+++ b/include/staff/templates/user-account.tmpl.php
@@ -143,6 +143,9 @@ if ($info['error']) {
                    <div><input type="checkbox" name="pwreset-flag" value="1" <?php
                     echo $account->isPasswdResetForced() ?
                     'checked="checked"' : ''; ?>> Password Reset Required</div>
+                   <div><input type="checkbox" name="forbid-pwchange-flag" value="1" <?php
+                    echo !$account->isPasswdResetEnabled() ?
+                    'checked="checked"' : ''; ?>> User Cannot Change Password</div>
                 </td>
             </tr>
         </tbody>
diff --git a/pwreset.php b/pwreset.php
index 6fb51b48728df6292ca5daddc24586434bca39c6..7b2a636e5cc4322dcaae1de656791c530a9329a6 100644
--- a/pwreset.php
+++ b/pwreset.php
@@ -19,6 +19,10 @@ if($_POST) {
                 if (!$acct->hasPassword()) {
                     $banner = 'Unable to reset password. Contact your administrator';
                 }
+                elseif (!$acct->isPasswdResetEnabled()) {
+                    $banner = 'Password reset is not enabled for your account. '
+                        .'Contact your administrator';
+                }
                 elseif (!$acct->sendResetEmail()) {
                     $inc = 'pwreset.sent.php';
                 }