More questions.. :-)
Is the behaviour only for SU3 and the user is authorized for the debugger or meant is only F5 (change password) on the logon screen regardless of their other authorizations and the password must be changed?
What is the load balancing policy to the instance with lowercase = 2 and specials = 1 policy? Does the IT employee have access to SM51 or SA38 or commands to start SAPGUI or connect to the server to avoid that instance?
Are you sure that the IT employees do not have access to SE37 workbench etc which is equivalent to SU01 (see SAP note 587410)? So there is no way for them to set / use an administrator password and are really just end users in the SAP Logon screen with no option to influence the instance they are connecting to?
For the moment I still stick to "all of the above", but 2, 4 and 5 will certainly do the trick still... :-)
Cheers,
Julius