Restrict access until password is changed

The new option "Restrict access until password is changed" has been added to safeguard the user credentials in case you think the password is compromised.  The option can be seen in firmware version 6.5.5.1 and onwards.

This allows restricting login using this local user account until its password has been changed. You might want to do this if, for example, you suspect that the user's password has been compromised. The following levels of restriction can be set:

No Restriction. The password can be changed over the Public Zones, like WAN.

Block remote access. When this is set, this user will only be allowed to log in from trusted locations inside the firewall. A remote user would be able to restore their remote access by changing their own password if they can travel to a secure internal location, otherwise, they would need to request that a firewall administrator do it for them.
NOTE: The trusted locations for this include the LAN zone, the MGMT zone if the firewall has one, and any other zones with security type 'Trusted', plus any remote locations connected through a site-to-site VPN tunnel (including GMS when it is managing through one).
Block all but console access. When this is set, this user will not be allowed to log in from anywhere (apart from admins on the console port). To restore their access, the user would need to request that a firewall administrator reset their password.

Block remote access except GMS/NSM, Block all but console and GMS/NSM. These are the same as the above two, except that an exception will be made to allow a GMS or NSM to log in using this account where that would have otherwise been blocked by the restriction.
This applies to web login, login from a VPN client and CLI login via SSH. It does not prevent administrator login on the console port, nor does it prevent users from being logged in by SSO. It can only be set for a local non-domain user account that has a password set.

NOTE: Since the primary purpose of this is to prevent the use of a compromised password, a user who is blocked by it will not be given the option to change their password when attempting to log in from the blocked location. If setting it to block remote access, then you might also want to set "User must change password" to force the change if the user does log in internally. 

Restrict Access for Multiple Users  

If you think that multiple user credentials are compromised, then you can force a password change for all the users.

  CAUTION: This affects only users whose passwords are set locally on the SonicWall, not any users whose passwords are authenticated externally. Once done, this cannot be undone.