I think I may have just figured out a way.  A little hoakey but should do the trick. 

Still interested in anyone else's ideas though. 

'cause I'm a private person, besides, if I told you I would have to kill you.

I need to run a few sandbox tests to make sure I am not missing anything.  Solution looks good on paper but we know how that goes.  If it works out, I will post back.

So, since you have not posted back yet, is it safe to assume that the idea did not work? 

No, I still think it would work fine, it just became a low priority.  If you have the opportunity to give it a try, below is an overview:

1. Create a new extension table off of tsmUser (or add columns to that table if you are so inclined) that identifies each user's password expiration date and number of grace logins allowed.
2. For the main proc that executes during login (I believe it is spGetSiteAndUserInfo), manipulate the code so that it looks at this table and compares the current date to the user's login expiration date from the new table. 
3. If the expiration date is after the current date, the code flow through that SP should remain the same ~ VALID LOGIN
4. If the expiration has passed, do a lookup against the new extension table of how many grace logins are allowed.
5. If the number of grace logins allowed is > 0 then allow the login to continue and decrement the number of grace logins by 1 and queue an email alerting the user/admin of the pending password expiration ~ VALID LOGIN
6. If the number of grace logins <= 0 channel the code flow of the SP to return {'SELECT 'UserID','''} which will get handled as if the user does not exist and queue an email alerting the user/admin of the expired password  ~ INVALID LOGIN
7. Modify the User Preferences task to increment both the grace logins and expiration date when the user updates his password
8. Modify the Maintain Users task to provide a means to override/reset the grace logins and expiration date

The down side is that the notification is by email and not an immediate message box popping up that informs the user of the reason for not being able to log in.  To the user it would appear to be handled the same way as if they typed in the wrong password or they were an invalid user.  But if you implement the grace period login piece, then they should be aware of what's going on and it is their own fault for getting to that point.

NOTE:  When I looked at this, we were on 7.20.9 but we have since upgraded to 7.30.2 so it is possible things may have changed (although you would hope that if Sage were changing logic in this area, they would just bite the bullet and provide this pretty basic feature)

Thank you! We are on 7.3 too. It looks like a pretty complex solution. 

By the way, you could email to the user when they have only 5 or so grace logins left, so they could get more notification about their password expiration

Just curious, why not use Windows Authentication which does this for you?

MAS500 integration with Windows authentication does not work properly with security events of which we rely heavily on.

Understood! Very good reason.