I have 2 NT4 domain controllers. They both are in the same state but different cities and connected by T1 lines. We have external clients who have to be authenticated to the domain. Our password policy requires changing passwords periodically. Some of the external clients do not get prompted to change their passwords when the check box "user must change password at next logon" is checked after resetting the password. When they enter their logon id and password they get the message "your account has expired". Only by unchecking user must change password at next logon are they able to logon.