Looks to me like the best method is to use autoexec to run code (run code is not in the unsafe list) and that's all.
It's what I've done for many years now. I've never worked in or for a place that allowed shared Windows logins, so I didn't use password management. Instead I looked up the user's Windows login id in a table. Not there? Not getting in. The autoexec ran that code.
The more we hear silence, the more we begin to think about our value in this universe.
Paraphrase of Professor Brian Cox.