Local Administrator Password Solution (LAPS), но нужно расширять схему и ставить агентов на клиентские тачки, также имеются некоторые проблемы с совместимостью.

В Powershell 5.1 есть команда Set-LocalUser, но нужно везде расставить Powershell 5.1.

При отсутствии возможности оперативно расставить Powershell 5.1 по сети, можно действовать через ADSI.

Проверка прав локального админа Администратор

Function Convert-UserFlag  {
Param ($UserFlag)
$List = New-Object System.Collections.ArrayList
    Switch  ($UserFlag) {
    ($UserFlag -BOR 0x0001) {[void]$List.Add('SCRIPT')}
    ($UserFlag -BOR 0x0002) {[void]$List.Add('ACCOUNTDISABLE')}
    ($UserFlag -BOR 0x0008) {[void]$List.Add('HOMEDIR_REQUIRED')}
    ($UserFlag -BOR 0x0010) {[void]$List.Add('LOCKOUT')}
    ($UserFlag -BOR 0x0020) {[void]$List.Add('PASSWD_NOTREQD')}
    ($UserFlag -BOR 0x0040) {[void]$List.Add('PASSWD_CANT_CHANGE')}
    ($UserFlag -BOR 0x0080) {[void]$List.Add('ENCRYPTED_TEXT_PWD_ALLOWED')}
    ($UserFlag -BOR 0x0100) {[void]$List.Add('TEMP_DUPLICATE_ACCOUNT')}
    ($UserFlag -BOR 0x0200) {[void]$List.Add('NORMAL_ACCOUNT')}
    ($UserFlag -BOR 0x0800) {[void]$List.Add('INTERDOMAIN_TRUST_ACCOUNT')}
    ($UserFlag -BOR 0x1000) {[void]$List.Add('WORKSTATION_TRUST_ACCOUNT')}
    ($UserFlag -BOR 0x2000) {[void]$List.Add('SERVER_TRUST_ACCOUNT')}
    ($UserFlag -BOR 0x10000) {[void]$List.Add('DONT_EXPIRE_PASSWORD')}
    ($UserFlag -BOR 0x20000) {[void]$List.Add('MNS_LOGON_ACCOUNT')}
    ($UserFlag -BOR 0x40000) {[void]$List.Add('SMARTCARD_REQUIRED')}
    ($UserFlag -BOR 0x80000) {[void]$List.Add('TRUSTED_FOR_DELEGATION')}
    ($UserFlag -BOR 0x100000) {[void]$List.Add('NOT_DELEGATED')}
    ($UserFlag -BOR 0x200000) {[void]$List.Add('USE_DES_KEY_ONLY')}
    ($UserFlag -BOR 0x400000) {[void]$List.Add('DONT_REQ_PREAUTH')}
    ($UserFlag -BOR 0x800000) {[void]$List.Add('PASSWORD_EXPIRED')}
    ($UserFlag -BOR 0x1000000) {[void]$List.Add('TRUSTED_TO_AUTH_FOR_DELEGATION')}
    ($UserFlag -BOR 0x04000000) {[void]$List.Add('PARTIAL_SECRETS_ACCOUNT')}
    }
$List -join ', '
} 
 
(Get-ADComputer -Filter "Enabled -eq 'True'" -SearchBase "OU=Workstations,OU=company,DC=domain,DC=ru" -Properties OperatingSystem |? OperatingSystem -match "Windows").name |% {
    echo "$_"
    Convert-UserFlag -UserFlag ([ADSI]"WinNT://$_/Администратор,user").UserFlags.Value
}

https://mcpmag.com/articles/2015/04/15/reporting-on-local-accounts.aspx
https://support.microsoft.com/ru-ru/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
https://windowsnotes.ru/powershell-2/pobitovye-operatory-v-powershell/
https://community.spiceworks.com/topic/2077624-getting-local-admin-group-members
https://www.petri.com/managing-local-user-accounts-with-powershell
https://blogs.technet.microsoft.com/russellt/2016/05/26/passwd_notreqd/

Is it possible to uncheck "Password Never Expires" for all local users?

$ADS_UF_DONT_EXPIRE_PASSWD = 0x00010000
$set_password_never_expires = $true
 
$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
$adsi.Children | Where-Object { $_.SchemaClassName -eq 'user' } | ForEach-Object {
    $is_set = ($_.UserFlags.Value -band $ADS_UF_DONT_EXPIRE_PASSWD) -eq $ADS_UF_DONT_EXPIRE_PASSWD
 
    if ($is_set -and -not $set_password_never_expires) {
        Write-Verbose -Message "Unchecking 'Password never expires' for user $($_.Name)"
        $_.UserFlags = $_.UserFlags.Value -bxor $ADS_UF_DONT_EXPIRE_PASSWD
        $_.SetInfo()
    } elseif (-not $is_set -and $set_password_never_expires) {
        Write-Verbose -Message "Checking 'Password never expires' for user $($_.Name)"
        $_.UserFlags = $_.UserFlags.Value -bor $ADS_UF_DONT_EXPIRE_PASSWD
        $_.SetInfo()
    }
}