Q. How can I query all user accounts for a specific account expiration date?

The account expiration date is stored in the accountExpires attribute and contain a date and time as a 64-bit number, like 126822420000000000.

It is possible to use DsQuery to retrieve all user records, converting accountExpires to a date and time before testing, or you can use a LDAP query to retrieve all the records, but you still have to convert accountExpires to a date and time.

If you use ADFind.exe, you can take advantage of the -binenc and -tdcs switches,like:

adfind -default -nodn -csv -tdcs -binenc -f "&(objectcategory=Person)(accountexpires>={{LOCAL:2002/11/20}})(accountexpires

which produces the following output in my domain:

"distinguishedName","sAMAccountName","accountExpires""CN=Jane Doe,CN=Users,DC=JSIINC,DC=COM","Jane.Doe","2002/11/21-01:00:00 Eastern Daylight Time""CN=JohnDoe,OU=OU_TEST,DC=JSIINC,DC=COM","John.Doe","2002/11/20-01:00:00 Eastern Daylight Time"

NOTE: Because accountExpires contains date and time, you must search a range of values.