My reply was based on my notes and don't have access to AD in my current project where I could verify it again.
Maybe it is combination of userAccountControl and pwdLastSet, that's what I would try next.
Hopefully someone with AD in their current implementation responds to your other thread as this requirement is not rare one.
regards, Tero