Many of these use the Microsoft Active Directory LDAP_MATCHING_RULE_BIT_AND ((1.2.840.113556.1.4.803)) control and evaluate the UserAccountControl for various User-Account-Control Attribute Values.
PASSWD_NOTREQD implies the user could have no password and anyone could authenticate as the entry and set their own password.
ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))" "userAccountControl" "EmployeeStatus" "employeeType" "pwdLastSet" "sAMAccountName" "objectClass"
LDAPWiki was advised that this includes values with userAccountControl=2080 which are INTERDOMAIN_TRUST_ACCOUNT which you should not mess with these passwords. They do not have passwords but use non-password authentications. Here is one that excludes those accounts:
ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32)(!(userAccountControl:1.2.840.113556.1.4.803:=2048))(pwdLastSet=0))" "sAMAccountName" "userAccountControl" "employeeStatus" "employeeType" "pwdLastSet" "lastLogonTimestamp" "createTimeStamp" "objectClass"
searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"
Weird but this is different from DONT_EXPIRE_PASSWORD. This addresses accounts that never expire vs passwords. Read about accountExpires to learn why.
searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(|(accountExpires=0)(accountExpires=9223372036854775807)))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"
searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(|(accountExpires=0)(accountExpires=9223372036854775807)))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE
searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"
searchBase="DC=EXAMPLE,DC=COM" filer="(userAccountControl:1.2.840.113556.1.4.803:=1048576)" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"
searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(pwdLastSet<=131707986436733938))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"
And a slightly more specific to search using (sAMAccountType=805306368)
ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(sAMAccountType=805306368)(lastLogonTimestamp<=131592420610000000))" "userAccountControl" "employeeType" "lastLogonTimestamp" "objectClass"
ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 10000 "(objectClass=foreignSecurityPrincipal)" "memberOf" "sAMAccountName" "sAMAccountType" "objectClass"
ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2097152))" "userAccountControl" "employeeType" "createTimeStamp" "objectClass"