Brute Force Prevention is enabled in the security settings. As an example, you can have the system "disable" a user account for up to 999 minutes after x number of failed attempts.

If a user's account is "disabled", there is no way for an admin to simply login and re-enable the account. They will receive the message "Login Failed: Exceeded failed login attempts".

According to chat support, if we are synced with LDAP, the user's AD account should be locked out as well. That is not the case for our scenario.

To work around this issue, I have to change the lockout time from 999 minutes to something like 5 minutes. After that I have to restart the services, which can cause people to lose changes that are actively being made on the system.

I assume moving to SSO may resolve this issue but cannot say for sure. Nonetheless, I believe that the feature would be helpful and would not imagine it would be very complicated to implement.