diff --git a/src/main/java/org/olat/admin/user/SystemRolesAndRightsController.java b/src/main/java/org/olat/admin/user/SystemRolesAndRightsController.java
index 9b9f411dc4ffce97e4e89ef5e0ecab1cbcd93531..483901f1ed4a9567a95ba2efdc21602f40d1e0b4 100644
--- a/src/main/java/org/olat/admin/user/SystemRolesAndRightsController.java
+++ b/src/main/java/org/olat/admin/user/SystemRolesAndRightsController.java
@@ -195,7 +195,7 @@ public class SystemRolesAndRightsController extends BasicController {
 									: (newStatus == Identity.STATUS_DELETED ? "deleted"
 											: "unknown"))));
 			
-			if(newStatus == Identity.STATUS_LOGIN_DENIED) {
+			if(oldStatus != newStatus && newStatus == Identity.STATUS_LOGIN_DENIED && form.getSendLoginDeniedEmail()) {
 				UserBulkChangeManager.getInstance().sendLoginDeniedEmail(myIdentity);
 			}
 			
diff --git a/src/main/java/org/olat/admin/user/SystemRolesAndRightsForm.java b/src/main/java/org/olat/admin/user/SystemRolesAndRightsForm.java
index 4df41ef42939b4a885d77eadeded18f66eceafea..9c80688920371013ab1093d7b6722c48f9cbe18f 100644
--- a/src/main/java/org/olat/admin/user/SystemRolesAndRightsForm.java
+++ b/src/main/java/org/olat/admin/user/SystemRolesAndRightsForm.java
@@ -36,6 +36,7 @@ import org.olat.basesecurity.SecurityGroup;
 import org.olat.core.gui.UserRequest;
 import org.olat.core.gui.components.form.flexible.FormItem;
 import org.olat.core.gui.components.form.flexible.FormItemContainer;
+import org.olat.core.gui.components.form.flexible.elements.MultipleSelectionElement;
 import org.olat.core.gui.components.form.flexible.elements.SelectionElement;
 import org.olat.core.gui.components.form.flexible.elements.SingleSelection;
 import org.olat.core.gui.components.form.flexible.elements.SpacerElement;
@@ -65,6 +66,7 @@ public class SystemRolesAndRightsForm extends FormBasicController {
 	private SpacerElement rolesSep;
 	private SpacerElement sysSep;
 	private SingleSelection statusRE;
+	private MultipleSelectionElement sendLoginDeniedEmailCB;
 	
 	private Identity identity;
 	private boolean iAmOlatAdmin, isAdmin, isUserManager, isAuthor, isGroupManager, isPoolManager, isGuestOnly, isInstitutionalResourceManager;
@@ -255,6 +257,10 @@ public class SystemRolesAndRightsForm extends FormBasicController {
 		statusRE.setEnabled(status != Identity.STATUS_DELETED);
 	}
 
+	public boolean getSendLoginDeniedEmail() {
+		return sendLoginDeniedEmailCB.isSelected(0);
+	}
+	
 	private void setRole (String k, boolean tf) {
 		if (roleKeys.contains(k)) RolesSE.select(k, tf); 
 	}
@@ -278,7 +284,10 @@ public class SystemRolesAndRightsForm extends FormBasicController {
 		if (source == AnonymousRE) {
 			RolesSE.setVisible(!isAnonymous());
 			rolesSep.setVisible(!isAnonymous());
+		} else if (source == statusRE && iAmOlatAdmin) {
+			sendLoginDeniedEmailCB.setVisible(statusRE.isSelected(2));
 		}
+		
 	}
 
 	@Override
@@ -308,9 +317,13 @@ public class SystemRolesAndRightsForm extends FormBasicController {
 				statusKeys.toArray(new String[statusKeys.size()]),
 				statusValues.toArray(new String[statusKeys.size()])
 		);
+		statusRE.addActionListener(this, FormEvent.ONCHANGE);
+		sendLoginDeniedEmailCB = uifactory.addCheckboxesHorizontal("rightsForm.sendLoginDeniedEmail", formLayout, new String[]{"y"}, new String[]{translate("rightsForm.sendLoginDeniedEmail")}, null);
+		sendLoginDeniedEmailCB.setLabel(null, null);
 		
 		rolesSep.setVisible(iAmOlatAdmin);
 		statusRE.setVisible(iAmOlatAdmin);
+		sendLoginDeniedEmailCB.setVisible(false);
 		
 		FormLayoutContainer buttonGroupLayout = FormLayoutContainer.createButtonLayout("buttonGroupLayout", getTranslator());
 		formLayout.add(buttonGroupLayout);
diff --git a/src/main/java/org/olat/admin/user/_i18n/LocalStrings_de.properties b/src/main/java/org/olat/admin/user/_i18n/LocalStrings_de.properties
index cf0aefd2fc58e752bec14052845ef44f45e6a951..2d386c8ec561028a3a310d4f66a0d3f235517c6a 100644
--- a/src/main/java/org/olat/admin/user/_i18n/LocalStrings_de.properties
+++ b/src/main/java/org/olat/admin/user/_i18n/LocalStrings_de.properties
@@ -47,7 +47,7 @@ header.normal=Suche mit Benutzerattributen
 help.hover.rightsForm-eff=Hilfe zu den Systemrollen
 mailto.userlist=Liste der Benutzer
 mailtemplate.login.denied.subject=Deaktivierung ihres OpenOLAT Accounts
-mailtemplate.login.denied.body=Sehr geehrte/r {6} {4},\n\nIhr OpenOLAT Account {0} mit der E-Mail {1} auf dem System {5} wurde deaktiviert.\n\nWenn Sie möchten, dass der Account wieder aktiviert wird, dann melden Sie sich bitte beim Support unter {3}.\n\n\nViele Grüsse\nDas elearning Team
+mailtemplate.login.denied.body=Sehr geehrte/r {6} {4},\n\nIhr OpenOLAT Account {0} mit der E-Mail {1} auf dem System {5} wurde deaktiviert.\n\nWenn Sie möchten, dass der Account wieder aktiviert wird, dann melden Sie sich bitte beim Support unter {3}.\n\n\nViele Grüsse\nDas e-Learning Team
 msg.selectionempty=Bitte min. einen User ausw\u00E4hlen.
 new.error.email.choosen=Diese E-Mail-Adresse ist bereits vorhanden, Sie k\u00F6nnen f\u00FCr diese Person kein neues Benutzerkonto erstellen. Es wurden keine Daten gespeichert.
 new.error.loginname.choosen=Dieser Benutzername ist bereits vergeben. Versuchen Sie es mit einem anderen Benutzernamen.
@@ -88,12 +88,14 @@ rightsForm.status.deleted=Gel\u00F6scht
 rightsForm.status.login_denied=Login gesperrt
 rightsForm.status.permanent=Aktiv und nicht l\u00F6schbar
 rightsForm.title=Systemrollen und Rechte zuteilen
+rightsForm.sendLoginDeniedEmail=Benutzer über Loginsperre informieren
 search.cancel=Die Aktion wurde abgebrochen.
 search.form.afterDate=Benutzer erstellt nach
 search.form.beforeDate=Benutzer erstellt vor
 search.form.constraint.admin=Systemadministrator
 search.form.constraint.auth.OLAT=OLAT/WebDAV-Passwort
 search.form.constraint.auth.Shib=Shibboleth-Passwort
+search.form.constraint.auth.ShibGeneric=$\:search.form.constraint.auth.Shib
 search.form.constraint.auth.LDAP=LDAP-Passwort
 search.form.constraint.auth.WEBDAV=WebDAV-Passwort
 search.form.constraint.auth.none=Ohne Authentifizierung
diff --git a/src/main/java/org/olat/admin/user/_i18n/LocalStrings_en.properties b/src/main/java/org/olat/admin/user/_i18n/LocalStrings_en.properties
index 419d264a03043cfac0caedee9ad1bafe5f7b8d0f..58e6721bbed5cc2cb4db31b9886f04de1cf6f1e5 100644
--- a/src/main/java/org/olat/admin/user/_i18n/LocalStrings_en.properties
+++ b/src/main/java/org/olat/admin/user/_i18n/LocalStrings_en.properties
@@ -49,8 +49,8 @@ found.property=Property selected {0}
 header.autocompletion=Search combined with auto-completion
 header.normal=Search along with user attributes
 help.hover.rightsForm-eff=Help regarding system roles and rights
-mailtemplate.login.denied.body=Your OpenOLAT account {0} with the email address {1} is blocked.\n\n\nIf you do not agree with this change, please contact support immediately at {3}.
-mailtemplate.login.denied.subject=OpenOLAT Account blocked
+mailtemplate.login.denied.body=Dear {6} {4},\n\nyour OpenOLAT account {0} with the email address {1} on system {5} has been blocked.\n\n\nIf you want to re-activate your account, please contact support at {3}\n\n\nBest regards\nThe e-learning team
+mailtemplate.login.denied.subject=OpenOLAT account blocked
 mailto.userlist=List of users
 msg.selectionempty=Please select at least one user.
 new.error.email.choosen=This e-mail address already exists. There is no need to create another account for this user. No data saved.
@@ -92,6 +92,7 @@ rightsForm.status.deleted=Deleted
 rightsForm.status.login_denied=Login denied
 rightsForm.status.permanent=Active and not deletable
 rightsForm.title=Assign system roles and rights
+rightsForm.sendLoginDeniedEmail=Notify user about login denied change
 search.cancel=Action cancelled.
 search.form.afterDate=User created after
 search.form.beforeDate=User created before
@@ -99,6 +100,7 @@ search.form.constraint.admin=Administrator
 search.form.constraint.auth.LDAP=LDAP password
 search.form.constraint.auth.OLAT=OLAT/WebDAV password 
 search.form.constraint.auth.Shib=Shibboleth password 
+search.form.constraint.auth.ShibGeneric=$\:search.form.constraint.auth.Shib
 search.form.constraint.auth.WEBDAV=WebDAV password
 search.form.constraint.auth.none=No authentication
 search.form.constraint.author=Author
diff --git a/src/main/java/org/olat/admin/user/bulkChange/UserBulkChangeManager.java b/src/main/java/org/olat/admin/user/bulkChange/UserBulkChangeManager.java
index 1f17324854accf841b8c081a32fa06ee981381fe..b879d23e605b95d0c90b0c6b2c121785a08e35ff 100644
--- a/src/main/java/org/olat/admin/user/bulkChange/UserBulkChangeManager.java
+++ b/src/main/java/org/olat/admin/user/bulkChange/UserBulkChangeManager.java
@@ -221,7 +221,7 @@ public class UserBulkChangeManager extends BasicManager {
 								: (status == Identity.STATUS_LOGIN_DENIED ? "login_denied"
 										: (status == Identity.STATUS_DELETED ? "deleted"
 												: "unknown"))));
-				if(status == Identity.STATUS_LOGIN_DENIED) {
+				if(oldStatus != status && status == Identity.STATUS_LOGIN_DENIED && Boolean.parseBoolean(roleChangeMap.get("sendLoginDeniedEmail"))) {
 					sendLoginDeniedEmail(identity);
 				}
 				identity = secMgr.saveIdentityStatus(identity, status);
diff --git a/src/main/java/org/olat/admin/user/bulkChange/UserBulkChangeStep01.java b/src/main/java/org/olat/admin/user/bulkChange/UserBulkChangeStep01.java
index 3d27185726e362c58b6a278aa59d4190298222df..65ab2f317243e5de039272d89644f32a6530e100 100644
--- a/src/main/java/org/olat/admin/user/bulkChange/UserBulkChangeStep01.java
+++ b/src/main/java/org/olat/admin/user/bulkChange/UserBulkChangeStep01.java
@@ -103,6 +103,7 @@ class UserBulkChangeStep01 extends BasicStep {
 		private SingleSelection setAdmin;
 		private MultipleSelectionElement chkStatus;
 		private SingleSelection setStatus;
+		private MultipleSelectionElement sendLoginDeniedEmail;
 
 		public UserBulkChangeStepForm01(UserRequest ureq, WindowControl control, Form rootForm, StepsRunContext runContext) {
 			super(ureq, control, rootForm, runContext, LAYOUT_VERTICAL, null);
@@ -146,6 +147,10 @@ class UserBulkChangeStep01 extends BasicStep {
 
 			if (chkStatus!=null && chkStatus.getSelectedKeys().contains("Status")) {
 				roleChangeMap.put("Status", setStatus.getSelectedKey());
+				// also check dependent send-email checkbox
+				if (sendLoginDeniedEmail!=null) {
+					roleChangeMap.put("sendLoginDeniedEmail", Boolean.toString(sendLoginDeniedEmail.isSelected(0)));					
+				}
 				validChange = true;
 			}
 
@@ -267,10 +272,20 @@ class UserBulkChangeStep01 extends BasicStep {
 
 				setStatus = uifactory.addDropdownSingleselect("setStatus",null, innerFormLayout, statusKeys, statusValues, null);
 				setStatus.setVisible(false);
+				setStatus.addActionListener(listener, FormEvent.ONCHANGE);
 				targets = new HashSet<FormItem>();
 				targets.add(setStatus);
 				RulesFactory.createHideRule(chkStatus, null, targets, innerFormLayout);
 				RulesFactory.createShowRule(chkStatus, "Status", targets, innerFormLayout);
+				
+				sendLoginDeniedEmail = uifactory.addCheckboxesHorizontal("rightsForm.sendLoginDeniedEmail", innerFormLayout, new String[]{"y"}, new String[]{translate("rightsForm.sendLoginDeniedEmail")}, null);
+				sendLoginDeniedEmail.setLabel(null, null);
+				sendLoginDeniedEmail.setVisible(false);
+				RulesFactory.createHideRule(chkStatus, null, sendLoginDeniedEmail, innerFormLayout);
+				RulesFactory.createHideRule(setStatus, Integer.toString(Identity.STATUS_ACTIV), sendLoginDeniedEmail, innerFormLayout);
+				RulesFactory.createHideRule(setStatus, Integer.toString(Identity.STATUS_PERMANENT), sendLoginDeniedEmail, innerFormLayout);
+				RulesFactory.createShowRule(setStatus, Integer.toString(Identity.STATUS_LOGIN_DENIED), sendLoginDeniedEmail, innerFormLayout);
+
 			}
 
 		}