As the exit mentioned by Alex only applies to SAPGui based logins, I also prefer the option of a job which runs and gets the validity dates on the user master record and calculates the password validity and reacts to it depending on freely definable criteria in variants of the job.
That way you catch all "warnings" to admins first and only certain types of warnings to the user themselves about their password validity if it is not an admin / contract issue.
Image may be NSFW.
Clik here to view.
Cheers,
Julius
