Stop locked accounts being unlocked by requesting password reset

Now it may just be me that this one worries but hear me out!

Luckily we are IP restricted and have very robust processes for closing down users but it's come to light that if you lock a users account, it is automatically unlocked if they hit 'reset password'. There was a member of the team who left us 'under a cloud' so locked the account etc but I've seen repeated alerts saying the user was trying to log in from an unauthorised IP address. They are obviously trying to get into the system and have managed to unlock the account by requesting a password reset.

Now obviously they don't have access to their email so can't get the new password but my concern is based around people who may not use IP restriction, could employ agency workers and set them up using their personal email addresses etc. Also there are times where there may be a disconnect between system access and email administration and a user with enough permissions could do a lot of damage.

We also use the lock accounts facility to stop clients who haven't paid from accessing the system as an 'encouragement to pay up. As we don't control the emails for our clients, they have a really simple mechanism to bypass this 'control'.

Am I paranoid? Yes but if an account is locked, it is probably locked for a reason. I understand why a reset unlocks and account from one point of view (as it's a simple first line support headache removed) but there are other implications.

As I said, it's probably just me being overly cautious but I think unlocking accounts should really be done by a system admin, not just blindly actioned.