According to the documents at https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS136820&posno=1&q=password%20change&Produc...
ther is following Note:
In a Windchill environment, the web server is responsible for validating that a user can log on. Several password policy properties described in the following list cause the Windchill Directory Server to use extended LDAP controls that then return extra information to the web server. The web servers that are supported in your Windchill environment do not include support for these extended controls; therefore, unless you customize your web server, the web server ignores the extra information that is sent. When this happens, a user can get into a state of not being able to log on. Therefore, the properties that cause extra information to be sent are listed as not supported.
I personally think that it should be definetly a pdmlink core function to be able to set a maximum expire time for a password and a password policy so that a user is automatically redirected if his password is expired