diff --git a/source/java/org/alfresco/web/app/servlet/AuthenticationHelper.java b/source/java/org/alfresco/web/app/servlet/AuthenticationHelper.java
index e4f0cc1f01..b65814e716 100644
--- a/source/java/org/alfresco/web/app/servlet/AuthenticationHelper.java
+++ b/source/java/org/alfresco/web/app/servlet/AuthenticationHelper.java
@@ -25,6 +25,7 @@
 package org.alfresco.web.app.servlet;
 
 import java.io.IOException;
+import java.io.UnsupportedEncodingException;
 import java.util.Enumeration;
 
 import javax.faces.context.FacesContext;
@@ -36,7 +37,6 @@ import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
 import org.alfresco.error.AlfrescoRuntimeException;
-import org.springframework.extensions.surf.util.I18NUtil;
 import org.alfresco.model.ContentModel;
 import org.alfresco.repo.SessionUser;
 import org.alfresco.repo.management.subsystems.ActivateableBean;
@@ -50,7 +50,6 @@ import org.alfresco.service.cmr.repository.InvalidNodeRefException;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.security.AuthenticationService;
-import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.web.app.Application;
 import org.alfresco.web.bean.LoginBean;
@@ -58,6 +57,8 @@ import org.alfresco.web.bean.repository.User;
 import org.alfresco.web.bean.users.UserPreferencesBean;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.springframework.extensions.surf.util.Base64;
+import org.springframework.extensions.surf.util.I18NUtil;
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.WebApplicationContextUtils;
 
@@ -556,13 +557,23 @@ public final class AuthenticationHelper
    public static void setUsernameCookie(HttpServletRequest httpRequest, HttpServletResponse httpResponse, String username)
    {
       Cookie authCookie = getAuthCookie(httpRequest);
+      // Let's Base 64 encode the username so it is a legal cookie value
+      String encodedUsername;
+      try
+      {
+         encodedUsername = Base64.encodeBytes(username.getBytes("UTF-8"));
+      }
+      catch (UnsupportedEncodingException e)
+      {
+         throw new RuntimeException(e);
+      }
       if (authCookie == null)
       {
-         authCookie = new Cookie(COOKIE_ALFUSER, username);
+         authCookie = new Cookie(COOKIE_ALFUSER, encodedUsername);
       }
       else
       {
-         authCookie.setValue(username);
+         authCookie.setValue(encodedUsername);
       }
       authCookie.setPath(httpRequest.getContextPath());
       // TODO: make this configurable - currently 7 days (value in seconds)
diff --git a/source/java/org/alfresco/web/bean/NavigationBean.java b/source/java/org/alfresco/web/bean/NavigationBean.java
index 0ef30abcf7..6f5b3bcf64 100644
--- a/source/java/org/alfresco/web/bean/NavigationBean.java
+++ b/source/java/org/alfresco/web/bean/NavigationBean.java
@@ -56,7 +56,7 @@ import org.alfresco.service.cmr.repository.TemplateService;
 import org.alfresco.service.cmr.rule.RuleService;
 import org.alfresco.service.cmr.search.SearchService;
 import org.alfresco.service.cmr.security.AccessStatus;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.web.app.Application;
@@ -208,12 +208,12 @@ public class NavigationBean implements Serializable
    /**
     * @param authService The AuthenticationService to set.
     */
-   public void setAuthenticationService(AuthenticationService authService)
+   public void setAuthenticationService(MutableAuthenticationService authService)
    {
       this.authService = authService;
    }
    
-   protected AuthenticationService getAuthService()
+   protected MutableAuthenticationService getAuthService()
    {
       if (authService == null)
          this.authService = Repository.getServiceRegistry(FacesContext.getCurrentInstance()).getAuthenticationService();
@@ -1024,7 +1024,9 @@ public class NavigationBean implements Serializable
     */
    public boolean isAllowUserConfig()
    {
-      return this.clientConfig.getAllowUserConfig();
+      // For correct behaviour, we ask the authentication chain whether this particular user is mutable
+      return this.clientConfig.getAllowUserConfig()
+            && this.authService.isAuthenticationMutable(this.authService.getCurrentUserName());
    }
    
    
@@ -1157,7 +1159,7 @@ public class NavigationBean implements Serializable
    UserPreferencesBean preferences;
    
    /** The Authentication service bean reference */
-   transient private AuthenticationService authService;
+   transient private MutableAuthenticationService authService;
    
    /** The PermissionService reference */
    transient private PermissionService permissionService;
diff --git a/source/java/org/alfresco/web/bean/users/CreateUserWizard.java b/source/java/org/alfresco/web/bean/users/CreateUserWizard.java
index 1138d07b06..43123d27ed 100644
--- a/source/java/org/alfresco/web/bean/users/CreateUserWizard.java
+++ b/source/java/org/alfresco/web/bean/users/CreateUserWizard.java
@@ -43,14 +43,13 @@ import org.alfresco.model.ContentModel;
 import org.alfresco.repo.tenant.TenantService;
 import org.alfresco.service.cmr.repository.ChildAssociationRef;
 import org.alfresco.service.cmr.repository.NodeRef;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.OwnableService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.cmr.usage.ContentUsageService;
 import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.namespace.QName;
-import org.alfresco.util.ApplicationContextHelper;
 import org.springframework.extensions.surf.util.Pair;
 import org.alfresco.web.app.Application;
 import org.alfresco.web.app.context.UIContextService;
@@ -102,7 +101,7 @@ public class CreateUserWizard extends BaseWizardBean
     protected String sizeQuotaUnits = null;
 
     /** AuthenticationService bean reference */
-    transient private AuthenticationService authenticationService;
+    transient private MutableAuthenticationService authenticationService;
 
     /** PersonService bean reference */
     transient private PersonService personService;
@@ -129,7 +128,7 @@ public class CreateUserWizard extends BaseWizardBean
     /**
      * @param authenticationService The AuthenticationService to set.
      */
-    public void setAuthenticationService(AuthenticationService authenticationService)
+    public void setAuthenticationService(MutableAuthenticationService authenticationService)
     {
         this.authenticationService = authenticationService;
     }
@@ -137,7 +136,7 @@ public class CreateUserWizard extends BaseWizardBean
     /**
      * @return authenticationService
      */
-    private AuthenticationService getAuthenticationService()
+    private MutableAuthenticationService getAuthenticationService()
     {
         if (authenticationService == null)
         {
diff --git a/source/java/org/alfresco/web/bean/users/UsersBeanProperties.java b/source/java/org/alfresco/web/bean/users/UsersBeanProperties.java
index 382fc8e10d..e0d4f6e16d 100644
--- a/source/java/org/alfresco/web/bean/users/UsersBeanProperties.java
+++ b/source/java/org/alfresco/web/bean/users/UsersBeanProperties.java
@@ -36,7 +36,7 @@ import org.alfresco.service.cmr.repository.ContentService;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.search.SearchService;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.cmr.usage.ContentUsageService;
 import org.alfresco.web.app.servlet.DownloadContentServlet;
@@ -57,7 +57,7 @@ public class UsersBeanProperties implements Serializable
     transient private SearchService searchService;
     
     /** AuthenticationService bean reference */
-    transient private AuthenticationService authenticationService;
+    transient private MutableAuthenticationService authenticationService;
 
     /** PersonService bean reference */
     transient private PersonService personService;
@@ -111,7 +111,7 @@ public class UsersBeanProperties implements Serializable
     /**
      * @return the authenticationService
      */
-    public AuthenticationService getAuthenticationService()
+    public MutableAuthenticationService getAuthenticationService()
     {
      //check for null for cluster environment
         if (authenticationService == null)
@@ -167,7 +167,7 @@ public class UsersBeanProperties implements Serializable
     /**
      * @param authenticationService  The AuthenticationService to set.
      */
-    public void setAuthenticationService(AuthenticationService authenticationService)
+    public void setAuthenticationService(MutableAuthenticationService authenticationService)
     {
        this.authenticationService = authenticationService;
     }
diff --git a/source/java/org/alfresco/web/bean/users/UsersDialog.java b/source/java/org/alfresco/web/bean/users/UsersDialog.java
index f9c1b36299..1021227031 100644
--- a/source/java/org/alfresco/web/bean/users/UsersDialog.java
+++ b/source/java/org/alfresco/web/bean/users/UsersDialog.java
@@ -387,6 +387,15 @@ public class UsersDialog extends BaseDialogBean implements IContextListener, Cha
          return (quota != null && quota != -1L) ? quota : null;
       }
    };
+
+   public NodePropertyResolver resolverUserMutable = new NodePropertyResolver()
+   {
+      public Object get(Node personNode)
+      {
+         return properties.getAuthenticationService().isAuthenticationMutable(
+               (String) personNode.getProperties().get("userName"));
+      }
+   };
    
    /**
     * Action handler to show all the users currently in the system
@@ -404,6 +413,7 @@ public class UsersDialog extends BaseDialogBean implements IContextListener, Cha
       {
          node.addPropertyResolver("sizeLatest", this.resolverUserSizeLatest);
          node.addPropertyResolver("quota", this.resolverUserQuota);
+         node.addPropertyResolver("isMutable", this.resolverUserMutable);
       }
       
       // return null to stay on the same page
diff --git a/source/java/org/alfresco/web/bean/wizard/NewUserWizard.java b/source/java/org/alfresco/web/bean/wizard/NewUserWizard.java
index 6247e7bf64..b11ae649b8 100644
--- a/source/java/org/alfresco/web/bean/wizard/NewUserWizard.java
+++ b/source/java/org/alfresco/web/bean/wizard/NewUserWizard.java
@@ -24,8 +24,6 @@
  */
 package org.alfresco.web.bean.wizard;
 
-import java.io.IOException;
-import java.io.ObjectInputStream;
 import java.io.Serializable;
 import java.text.MessageFormat;
 import java.util.HashMap;
@@ -48,13 +46,12 @@ import org.alfresco.repo.tenant.TenantService;
 import org.alfresco.service.cmr.repository.ChildAssociationRef;
 import org.alfresco.service.cmr.repository.InvalidNodeRefException;
 import org.alfresco.service.cmr.repository.NodeRef;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.OwnableService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.namespace.QName;
-import org.alfresco.util.ApplicationContextHelper;
 import org.alfresco.web.app.Application;
 import org.alfresco.web.app.context.UIContextService;
 import org.alfresco.web.bean.repository.Node;
@@ -66,7 +63,7 @@ import org.alfresco.web.ui.common.Utils;
 import org.alfresco.web.ui.common.component.UIActionLink;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.apache.commons.validator.EmailValidator;
+import org.apache.commons.validator.EmailValidator;
 
 /**
  * @author Kevin Roast
@@ -101,7 +98,7 @@ public class NewUserWizard extends AbstractWizardBean
    private NodeRef homeSpaceLocation = null;
 
    /** AuthenticationService bean reference */
-   transient private AuthenticationService authenticationService;
+   transient private MutableAuthenticationService authenticationService;
 
    /** NamespaceService bean reference */
    transient private NamespaceService namespaceService;
@@ -131,12 +128,12 @@ public class NewUserWizard extends AbstractWizardBean
    /**
     * @param authenticationService  The AuthenticationService to set.
     */
-   public void setAuthenticationService(AuthenticationService authenticationService)
+   public void setAuthenticationService(MutableAuthenticationService authenticationService)
    {
       this.authenticationService = authenticationService;
    }
    
-   private AuthenticationService getAuthenticationService()
+   private MutableAuthenticationService getAuthenticationService()
    {
       if (authenticationService == null)
       {
diff --git a/source/java/org/alfresco/web/forms/FormsTest.java b/source/java/org/alfresco/web/forms/FormsTest.java
index b8b0b7eaf7..78895c9d32 100644
--- a/source/java/org/alfresco/web/forms/FormsTest.java
+++ b/source/java/org/alfresco/web/forms/FormsTest.java
@@ -36,7 +36,7 @@ import org.alfresco.service.cmr.model.FileInfo;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.util.BaseSpringTest;
 import org.alfresco.util.TestWithUserUtils;
@@ -105,7 +105,7 @@ public class FormsTest
       assertNotNull(fileFolderService);
       this.formsService = (FormsService)super.applicationContext.getBean("FormsService");
       assertNotNull(this.formsService);
-      final AuthenticationService authenticationService = (AuthenticationService)
+      final MutableAuthenticationService authenticationService = (MutableAuthenticationService)
          applicationContext.getBean("authenticationService");
       authenticationService.clearCurrentSecurityContext();
       final MutableAuthenticationDao authenticationDAO = (MutableAuthenticationDao) 
diff --git a/source/web/jsp/users/users.jsp b/source/web/jsp/users/users.jsp
index 99587e842d..42e17ca82f 100644
--- a/source/web/jsp/users/users.jsp
+++ b/source/web/jsp/users/users.jsp
@@ -138,10 +138,10 @@
                <f:facet name="header">
                   <h:outputText value="#{msg.actions}" />
                </f:facet>
-               <a:actionLink value="#{msg.modify}" image="/images/icons/edituser.gif" showLink="false" action="wizard:editUser" actionListener="#{DialogManager.bean.setupUserAction}">
+               <a:actionLink rendered="#{r.isMutable}" value="#{msg.modify}" image="/images/icons/edituser.gif" showLink="false" action="wizard:editUser" actionListener="#{DialogManager.bean.setupUserAction}">
                   <f:param name="id" value="#{r.id}" />
                </a:actionLink>
-               <a:actionLink value="#{msg.change_password}" image="/images/icons/change_password.gif" showLink="false" action="dialog:changePassword" actionListener="#{DialogManager.bean.setupUserAction}">
+               <a:actionLink rendered="#{r.isMutable}" value="#{msg.change_password}" image="/images/icons/change_password.gif" showLink="false" action="dialog:changePassword" actionListener="#{DialogManager.bean.setupUserAction}">
                   <f:param name="id" value="#{r.id}" />
                </a:actionLink>
                <a:booleanEvaluator value="#{r.userName != 'admin'}">