-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Geoffrey already covered the best option. The latest configs and shim
support a new option that control the lifetime of passwords on the DCs.
Set the password expiration timeout to something tiny at the start, or
maybe when you first deploy the config just put a veto somewhere that
will block all of the first passwords coming through (to be disabled
later so passwords can really come through) and then you'll be fine.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQItjxAAoJEF+XTK08PnB5ZeUQAKlNnDTTUU X4FKvIyUYlOROi
dLqLa8J8RBcD/1/3tHjmx8Cglz6sODb0ijs6YbGopSWALNM4qLhF8BQOEg2ZjRva
3ObUkH22z/z7SJBTqr5XsP82GQjTPw24/quflfqsP00RcUTeFDP/QM868QF+B7en
dNBZbcv02bGD6KaRuCCNQK4/8aF6ZUlfs6i5mivTNEY7rerMMzjQczUS/PQH96o3
UUNvL4nqTYtJujaciMj/XAgIdh09yYXlQ3xE3utlCluSu4CXg1rHhPUPnJScIIO3
KBlZP5CJbbl46Y+Jaws9yZoV/vzCJxgl0u5FIWwXWfviVHmQknXEGZJvQckYvz9x
5Yyxijy+qQ4YsWMot9AwazWJDZCeG4vaQiY3EzNXPUrNM0Qsqk uvG/q8rZg36Mx2
S4FWxjZXDgvUGt++IRp2ux2FFZul43py8M2WzaSrGl9ztIy9n7 yB2DI7K7jWph5u
O46TeE+C7tGgmh3/6wUJBJHjcpMckINtRBSN3UCS0WuVUKTVrQXRMUcnNVgyykhL
S3/071JB8Um/Yp3qmdeve6f1Z6oVWmBO8XeSmbdgtwmaz7JtPR6XT+no18+qM4 Hx
tPn7w/rEiJNTOjpyoQ49fuBXx7XnJS2MqfDPIp/9AoHjT08KU9y3+R+Q9OSB1MeA
DSgirxhLUiyWgEbZvbVN
=maFj
-----END PGP SIGNATURE-----