The list of password violations seems to be lacking in some information. While it tells you who the violators are and how many policies they violate, it doesn't tell you when the person was added to the list, how many notifications have been sent to them or the current state of the email account (whether or not the password has expired).
The data is all contained w/in the settings.json file, but you have to go through each file manually to get any answers. We're in discussions of changing the minimum password length. If we did that, more names would be added to the list but we couldn't differentiate between the old violations and the new ones. I would recommend adding at least the date of expiration to the password validation list. I think it would also be beneficial to know how many emails have been sent to the user warning them of the expiration.
Another recommendation I would make is when you disable someone's outbound SMTP, if they try to send an email, generate an automated error message and send it to them letting them know their outbound mail is disabled. Right now, they assume the mail works. When I tested this yesterday, everything looked like it sent fine until I dug into the logs and saw "Outbound messaging disabled". The user never really knows what's going on.