I created a script to tell users when their passwords will expire. My domain isn't so big so it works for me. I'm not sure how well it will scale. I use wbinfo to get the domain users I use rpcclient to get the user's CIDs and to get their password expire times and I use ldapsearch to get their email address and to see if it is disabled I use mutt to email each user. There may be some better ways to do this but a variant of these scripts has been working flawlessly for about a year now. My variant had a bunch of the things hard coded it and I did my best to make them variables in the domain_config file. I might be able to do it all with ldap commands that would make it more flexible with domains that may not be windows domains.