If your users tend to ignore the systems password change request and implementing tip 559 in a login script doesn't seen to help, try scheduling it in batch. JSINotify.bat uses JSIExpire.bat (from tip 559) and Showmbrs from

It can use the Notify.bat from tip 559 or you can use a create another one.

Usage: JSINotify "DomainName" Days <path>\notify.bat

 
@echo off 
if %1
"" goto syntax 
if "%2"
"" goto syntax 
set agea=%2 
set /a agen=%agea% 
if "%agea%"
"%agen%" goto notify 
:syntax 
@echo JSINotify "DomainName" Days <path>\notify.bat 
goto end 
:notify 
if %3
"" goto syntax 
if not exist %3 goto syntax 
Set Domain=%1 
for /f "Tokens=*" %%i in ('showmbrs "%DOMAIN%\Domain Users"') do
 (for /f "tokens=1-3" %%j in ('net user "%%i" /domain') do call :xuser %2 %3 "%%i" %%j %%k %%l) 
REM The above two lines are 1 line
goto end 
:xuser 
if not "%4"
"Password" goto end 
if not "%5"
"expires" goto end 
if "%6"=="Never" goto end 
call JSIExpire %3 %1 %2 
:end

To schedule the process on your PDC, the Schedule Service must run under a Domain Admin account or have the Scheduler run under the System account and impersonate a Domain Admin for this job, using SU (see Supplement Two):

AT 00:00 /Every:M,T,W,Th,F,S,Su CMD /C "<Path>\JSINotify.bat"