When Active Directory detects that a user's password has expired, it sets the user's userAccountControl attribute by ORing it with 0x800000.

Using DSQUERY from the Active Directory command-line tools, I have scripted PWDExpUAC.bat to return the user name and distinguished name of the accounts that have the 0x800000 bit set in the userAccountControl attribute.

PWDExpUAC.bat has no parameters. The output is displayed on the console, but you can process it in your script by using:

for /f "Tokens=1*" %%u in ('PWDExpUAC') do (
 set samid=%%u
 set userDN=%%v
 call :DoSomething
)
PWDExpUAC.bat contains:
@echo off
setlocal
<font size="-2">set qry=dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User))" -attr userAccountControl sAMAccountName distinguishedName -limit 0</font>
for /f "Skip=1 Tokens=1,2*" %%a in ('%qry%') do (
 call :testit %%b "%%c" %%a
)
endlocal
goto :EOF
:testit
if "%3" EQU 0 goto :EOF
set user=%1
set dn=%2
set /a uac=%3
:GEQ
if %uac% GEQ 16777216 set /a uac=%uac% - 16777216&goto GEQ
if %uac% LSS 8388608 goto :EOF
set dn=%dn:  =%
set dn=%dn: "="%
@echo %user% %dn%
NOTE: To retrieve any user's exact password expiration date and time, you can:
for /f "Tokens=1-3*" %%a in ('net user %The_User_Name% /domain^|find "Password"^|find "expires"') do (
 set dt=%%c
 set tm=%%d
)
NOTE: If the dt environemt variable is Never, tm is null.