AccessMonger Pro's automated installer lets you specify a few settings and then does the rest for you.  If your dsn permissions don't allow for table and index creation you can use one of the two supplied data files (Access and mySQL) and have the installer work with those once you've placed the files on your server.
Users see a simple, familiar 2-factor login screen with a clear link to the password auto-recovery page, which also works for users who just want to change their password for any reason.  The colors used here are all configurable via simple settings.
And you'd better put in the right login pretty quick, or else...  Password recovery/reset attempts are governed by the same countdown-to-lockdown (with a count independent of the login attempts).
A user who has forgotten or just wants to change their password clicks the link on the login screen and sees simple instructions which will send a link to their inbox.  The link contains a value that will be compared to another stored in the database as part of the authentication process.  The link will only be valid for 24 hours. And they don't get a blank check to enter any old email address until they hit pay dirt, either...
When the user follows the link they receive, they arrive at the change screen.  They plug in their new password and answer the authentication question ... something only they know and which they themselves put in when they were first given access to the system.
And how did that hint/answer question get in there?  The user put it in when they were first given access to the system.  The hint and answer data is salted, hashed, thrashed and smashed to protect its sanctity (a more precise description is available to registered users).
Once logged in an administrator can visit the administration area.  This extremely simple file was kept that way so you can work it into your own administrative control panel.
Enter groups and roles common to the entire system, using simple GridMonger grid entry.  The latest, most improved version of GridMonger (ordinarily only available to registered GridBuilder users) is used inside of AMPro.
Once you have added the groups and roles you want, bundle them into default user profiles.
The User Manager lets you assign one of the profiles you just created to a particular user.  From there you can alter that profile if you choose to include more, or less, than the default profile provides for to allow complete customization and flexibility in who gets to do what.
Also with the User Manager you can edit an individual user's data record, as well as send them an initial system access email, or change their password youself; bypassing the automated system.
Who's On your site?  With AMPro you'll know.  Both logged-in and just-visiting users will be shown.  You'll be able to force administrative log-offs of logged-in users with the ZAP feature.  Looks like the party is over for Larry here.
Whats going on with the site?  AMPro logs and categorizes key information -- including all form field input -- for your review (except sensitive stuff like passwords).  This is done with a simple custom tag that you can easily adapt to add logs and administrative alerts to just about anything you care to think of within your own code.