Funny, I was just discussing this with Jon yesterday (in another context) and the conclusion was that polkit authentication via PAM should do the account phase as well (and the screensaver shouldn't). 

We didn't discuss password-changing though - Jon, any thoughts?

We seem to be doing the right thing now:

 $ pkexec /usr/bin/pk-example-frobnicate 
 ==== AUTHENTICATING FOR org.freedesktop.policykit.example.pkexec.run-frobnicate ===
 Authentication is required to run the PolicyKit example program Frobnicate
 Authenticating as: David Zeuthen (davidz)
 Password: 
 Error: Your account has expired; please contact your system administrator
 polkit-agent-helper-1: pam_acct_mgmt failed: User account has expired
 Error: User account has expired
 ==== AUTHENTICATION FAILED ===
 Error executing command as another user: Not authorized

 This incident has been reported.

(In reply to comment #0)
> This was reported in Xubuntu [1]. It appears that if an admin marks your
> password for expiration using 'sudo passwd -e USER', you can't authenticate via
> PolicyKit until you log out. Is that the intended behavior?

Just to clarify, yeah, I do think this is intended behavior... at least for now... it of course begs the question how the user should _fix_ the problem.. because... presumably he would need to authenticate as himself to gain an authorization to change the expiration date of his account.

I'll leave that problem to others to figure out... probably Jon and Matthias should have a thinko about this in the accountsservice/accountsdialog projects.