AD Pssword Synch Between 1 Way Trust Domains

I have a client challenge that I hope we can solve.

    Scenario

        Corporate - 1 way trust to our client AD.

        Mirror'd AD users but completely unique SID per domain.

        Assume zero assistance from corporate , assume no sight in any way to corporate environment.

        Problem.  - corporate requires 90 day password rotation that is synchronized to their corporate AD architecture.


        Ie.  If they have user jp required to change password at corporate site, it must be done on our client side at same time.


        My thoughts so far....

        Is there a way to pull the event log locally on a pc that splits domain logins.

        Can we see the corporate domain pw prompt event ID trigger on the local pc and then trigger a script/gpo on our client domain to prompt the user to change their password when they log in next.

        ( yes -  they log in as jp@domaina.com  and jp@domainb.com on the same systems as well as have separate systems dedicated for each domain use depending on office)

        I have found this as the closest to it however it is on a failed pw reset attempt.   Anyone have any solutions or up for a challenge ?

        Description Fields in 4724

        Subject:

        The user and logon session that performed the action.

        Security ID:  The SID of the account.

        Account Name: The account logon name.

        Account Domain: The domain or - in the case of local accounts - computer name.

        Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

        Target Account:

        Security ID:  SID of the account

        Account Name:  name of the account

        Account Domain: domain of the account


        Fyi - we have zero room to change any structure or requirements.

I am aware we can introduce password sync from corporate to client. This way when password is changed in corporate it syncs to corresponding account to client domain account. Hence adheres to 90 days rule. There are password sync solution that works from domain to domain and domain to local account.

BUT, unfortunately any work on corporate end is not a possibility at this time.  It has to be a 100% client side solution.