Retreiving User accounts that are not required to change the password can be done by querying the edsaPasswordNeverExpires Boolean attribute. If it is set to TRUE, then the account is not required to change its associated password.
If LDAPFilter is being used, it is not possible to use any attributes which start with edsa, as they are computed. Instead, search for the Microsoft binary value of (userAccountControl:1.2.840.1135220.127.116.113:=65536) in order to return accounts which are not required to change their password.
Enhancement request number TF0455211 has been submitted for consideration in a future release of Active Roles Server, which would allow an optional change to this current behaviour.