So I was working at a company and the security department was complaining that old employees werent disabled. Well IT did set the account expired date on each user, but the security department really liked the little arrow on the user icon. So this is a simple powershell script that disables all user accounts which has passed their expires date. So we ran this script and IT could continue as before and the security department got their small arrows on the user accounts.
Import-Module ActiveDirectory
$now = (Get-Date).ToFileTime()
$ldapfilter = "(&(!userAccountControl:1.2.840.113556.1.4.803:=2)(accountexpires<=$now)(!accountexpires=0))"
Get-ADUser -ldapfilter $ldapfilter| Disable-ADAccount
Or you could use the Cmdlet Search-ADAccount
Search-ADAccount -AccountExpiredc -UsersOnly | Where-Object {$_.Enabled}| Disable-ADAccount