Password expiry is a tricky event. It is typically a problem you want to be proactive about rather than reactive.
Microsoft, through Active Directory, does not consider Password expiry as an event. In this same time, LEM (Log & Event Manager) will receive Windows event logs and not go inside the AD to look for these information.
Hence what to do ?
The first solution (simplistic) :
Wait until the password is expired, the user will fail his authentication and then create the Windows Event Log we're waiting for (Failed Logon Event 4625). From there, using LEM we can either create an alarm to notify us or even automatically reset a user password through a custom rule.
Here is an event received in LEM for UserLogonFailure:
and some of the actions applicable in a LEM rule:
Now this is reactive and we want to be proactive so here is what to do.
The second solution (complete through powershell scripting) :
STEP 1: Write a script to get all the users with a password expiring in the next 50 days
STEP 2: Write the results of the script inside a Windows Event log.
NB: We have to remember to create a custom application as we are using application windows event logs in this case. It might work also if you're using Security for example.
Using poweshell, you can write a specific script for your use case, here is an example courtesy of tony.johnson (attachement)
This will create The right Windows Event log (image below) that you'll receive on LEM.
You will want to run this script periodically (once a day for example). Create a rule to send an email or reset the password based on these logs and you're done !
Here is the Windows event log