thanx for your help. But it is rather the other way round: The customer already has the
policy for special users that must not be forced to change the password. In addition, the
customer now wants "normal" users to be completely locked out when the password
has expired, only administrators may then be able to change the user's password and
enable the user's login.