#1 plus #3
After looking back at this, I can't imagine the sheer amount of time spent with password negotiation. At first it is being stated that users should change their password every 30 days, but then it is saying to keep a list of EVERY USER'S PASSWORD. Talk about a maintenance nightmare! Not only is it unsecure, even if it's encrypted, all you are doing is spending time either updating your password list, or trying to get user's to tell you what they changed their password to this month. Just keep AD pulled up on a server and login to it so that you can force a user password reset manually if needed. Much faster and no one but the user knows what the password is (except AD). If they are no longer there or there are special circumstances, you can always reset it and login as them.
