So I found this script on Microsoft’s site to query bitwise information out of AD.

Set oNSP = GetObject(“LDAP:///rootdse”)
Set oConfig = GetObject(“LDAP:///” & oNSP.get(“DefaultNamingContext”))

Set oConn = CreateObject(“ADODB.Connection”)
oConn.Provider = “ADSDSOObject”
oConn.Open “”

strQuery = “;(&(objectCategory=person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=));name,objectClass;subtree”

Set oRS = oConn.Execute(strQuery)
While Not oRS.EOF
MsgBox oRS.Fields(“name”)
oRS.MoveNext
Wend

MsgBox “done”

Set oConn = Nothing
Set oRS = Nothing
Set oConfig = Nothing
Set oNSP = Nothing

I then found this list of Hex Codes to use to pull specific information:

SCRIPT 0×0001 1
ACCOUNTDISABLE 0×0002 2
HOMEDIR_REQUIRED 0×0008 8
LOCKOUT 0×0010 16
PASSWD_NOTREQD 0×0020 32
PASSWD_CANT_CHANGE
Note You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the “Property flag descriptions” section. 0×0040 64
ENCRYPTED_TEXT_PWD_ALLOWED 0×0080 128
TEMP_DUPLICATE_ACCOUNT 0×0100 256
NORMAL_ACCOUNT 0×0200 512
INTERDOMAIN_TRUST_ACCOUNT 0×0800 2048
WORKSTATION_TRUST_ACCOUNT 0×1000 4096
SERVER_TRUST_ACCOUNT 0×2000 8192
DONT_EXPIRE_PASSWORD 0×10000 65536
MNS_LOGON_ACCOUNT 0×20000 131072
SMARTCARD_REQUIRED 0×40000 262144
TRUSTED_FOR_DELEGATION 0×80000 524288
NOT_DELEGATED 0×100000 1048576
USE_DES_KEY_ONLY 0×200000 2097152
DONT_REQ_PREAUTH 0×400000 4194304
PASSWORD_EXPIRED 0×800000 8388608
TRUSTED_TO_AUTH_FOR_DELEGATION 0×1000000 16777216

The only issue that I found is that you can’t use PASSWD_CANT_CHANGE that one doesn’t pull back any information. Unfortunately that was what I was looking for, but I just decided to change everyone’s account to let them change their passwords.