One of the most important tasks that an Active Directory administrator performs is ensuring that expired user accounts are reported in a timely manner and that action is taken to immediately remove or disable them. Note that user accounts for which you set an expiration date are only created temporarily. For example, you might have created several user accounts to allow vendors to log on to the Active Directory. Similarly, you might have created user accounts for contractors. If you wish to see what accounts have expired, execute the following PowerShell command:
Search-ADAccount -Server $ThisDomain -Credential $Creds -AccountExpired -UsersOnly -ResultPageSize 2000 -resultSetSize $null| Select-Object Name, SamAccountName, DistinguishedName
Note the use of the Search-ADAccount PowerShell cmdlet again but with a different switch this time. The switch that we use is AccountExpired. As the name suggests, the AccountExpired switch helps you to collect user accounts that have expired.
Need more PowerShell scripts for Active Directory? Find all the top wanted PowerShell commands for Active Directory in one blog post.