Question: do they still know their passwords? Even if they do not, is it embedded in their browsers / workstations? You could set up a sniffer and turn off the password encryption options of the server so that the passwords cross in clear text. Capture it with the sniffer. You can even reboot the server to force them all to re-login...