When Active Directory detects that a user's password has expired, it sets the user's userAccountControl attribute by ORing it with 0x800000.

Using DSQUERY from the Active Directory command-line tools, I have scripted PWDExpUAC.bat to return the user name and distinguished name of the accounts that have the 0x800000 bit set in the userAccountControl attribute.

PWDExpUAC.bat has no parameters. The output is displayed on the console, but you can process it in your script by using:

for /f "Tokens=1*" %%u in ('PWDExpUAC') do (                               set samid=%%u                               set userDN=%%v                               call :DoSomething                              )
PWDExpUAC.bat contains:
@echo off                              setlocal                              set qry=dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User))" -attr userAccountControl sAMAccountName distinguishedName -limit 0                              for /f "Skip=1 Tokens=1,2*" %%a in ('%qry%') do (                               call :testit %%b "%%c" %%a                              )                              endlocal                              goto :EOF                              :testit                              if "%3" EQU 0 goto :EOF                              set user=%1                              set dn=%2                              set /a uac=%3                              :GEQ                              if %uac% GEQ 16777216 set /a uac=%uac% - 16777216&goto GEQ                              if %uac% LSS 8388608 goto :EOF                              set dn=%dn:  =%                              set dn=%dn: "="%                              @echo %user% %dn%                              
NOTE: To retrieve any user's exact password expiration date and time, you can:
for /f "Tokens=1-3*" %%a in ('net user %The_User_Name% /domain^|find "Password"^|find "expires"') do (                               set dt=%%c                               set tm=%%d                              )
NOTE: If the dt environemt variable is Never, tm is null.