Re: adquery does not return password expiration information for user on a different domain

Please confirm that you're not trying to do this over a one-way trust.

Express won't work or produce bogus results.  Only commercial editions in zone mode support one-way trusts.

Let me know the output of "adinfo -y domain"  (please de-identify the domain) and adinfo -T [domain.where.the.user.resides]

Sample outputs:

$ adinfo -y domain
System Diagnostic
========Domain info map========
DC=hq,DC=fabrikam,DC=com
    CN              = HQ.FABRIKAM.COM
    SID             = S-1-5-21-2165579280-668341325-710928106
    TRUST_ATTRS     = 0x20
    TRUST_DIRECTION = 3
    TRUST_TYPE      = 2
    NTLM NAME       = HQ
    LOCAL FOREST    = YES
CN=corp.contoso.com,CN=System,DC=hq,DC=fabrikam,DC=com
    CN              = CORP.CONTOSO.COM
    SID             = S-1-5-21-2180375406-786980114-1643973036
    TRUST_ATTRS     = 0x4
    TRUST_DIRECTION = 2
    TRUST_TYPE      = 2
    NTLM NAME       = CORP
    LOCAL FOREST    = NO

$ adinfo -T corp.contoso.com
Domain Diagnostics:
  Domain: corp.contoso.com
    DNS query for: _ldap._tcp.corp.contoso.com
    DNS query for: _gc._tcp.corp.contoso.com
  Testing Active Directory connectivity:
    Global Catalog: dc1.corp.contoso.com
      gc:       3268/tcp - good
    Global Catalog: dc2.corp.contoso.com
      gc:       3268/tcp - good
    Domain Controller: dc1.corp.contoso.com
      ldap:      389/tcp - good
      ldap:      389/udp - good
      smb:       445/tcp - good
      kdc:        88/tcp - good
      kpasswd:   464/tcp - good
      ntp:       123/udp - good
    Domain Controller: dc2.corp.contoso.com
      ldap:      389/tcp - good
      ldap:      389/udp - good
      smb:       445/tcp - good
      kdc:        88/tcp - good
      kpasswd:   464/tcp - good
      ntp:       123/udp - good