I have two ADSI scripts (written in KiX, of course) that I use to 'clean up' exipired workstations and user accounts.

CompAcctPswdAge() is my port of Howard's MachAcctPWAge Perl script. I usually run it to generate a list of machines with the password expired, and then go over it to make sure that there isn't anything in the list that shouldn't be there. For example, we have a couple of CD towers that, for some reason, show up expired on Howard's and my script.

I had another ADSI script on the board that checked user accounts maxpasswordage vs. their passwordage while also checking certain flags like 'DONTEXPIREPASSWD' and 'ACCOUNTDISABLED,' but I'll be danged if I can find it. I can repost it if you're interested.