---
title: "Mapping AD password policy state attributes to PingDirectory using <code class=\"cmdname\"><strong>dsconfig</strong></code>"
description: If you have a working sync configuration between PingDirectory and Active Directory (AD) and want to manage password policy state attributes, use the dsconfig command to map these attributes instead of re-running the sync command.
component: pingdirectory
version: 11.0
page_id: pingdirectory:pingdatasync_server_administration_guide:pd_sync_mapping_ad_pwd_policy_dsconfig
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdatasync_server_administration_guide/pd_sync_mapping_ad_pwd_policy_dsconfig.html
revdate: September 13, 2023
section_ids:
  about-this-task: About this task
  steps: Steps
  example: Example:
  example-2: Example:
  example-3: Example:
---

# Mapping AD password policy state attributes to PingDirectory using `dsconfig`

If you have a working sync configuration between PingDirectory and Active Directory (AD) *(tooltip: \<div class="paragraph">
\<p>A directory service for Windows domain networks, included in most Windows Server operation systems.\</p>
\</div>)* and want to manage password policy state attributes, use the `dsconfig` command to map these attributes instead of re-running the `sync` command.

## About this task

To map AD password policy state attributes to PingDirectory attributes:

## Steps

* Run `dsconfig` with the `create-attribute-mapping` option.

  ### Example:

  The following example maps the AD attribute `lockoutTime` to the PingDirectory attribute `pwdAccountLockedTime`.

  ```
  dsconfig create-attribute-mapping
  	--map-name  "<Microsoft Active Directory Users Attribute Map>"
  	--mapping-name pwdAccountLockedTime
  	--type direct
  	--set from-attribute:pwdAccountLockedTimeFromAD
  ```

  ### Example:

  The following example maps the AD attribute `userAccountControl & (ACCOUNTDISABLE == 2)` to the PingDirectory attribute `ds-pwp-account-disabled`.

  ```
  dsconfig create-attribute-mapping
  	--map-name  "<Microsoft Active Directory Users Attribute Map>"
  	--mapping-name ds-pwp-account-disabled
  	--type direct
  	--set from-attribute:ds-pwp-account-disabled-from-ad
  ```

  ### Example:

  The following example maps the AD attribute `pwdLastSet` to the PingDirectory attribute `pwdChangedTime`.

  ```
  dsconfig create-attribute-mapping
  	--map-name  "<Microsoft Active Directory Users Attribute Map>"
  	--mapping-name pwdChangedTime
  	--type direct
  	--set from-attribute:pwdChangedTimeFromAD
  ```

  |   |                                                                                                                                                                               |
  | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  |   | Learn more about synchronizing these AD attributes with PingDirectory in [Synchronizing Active Directory with PingDirectory](pd_sync_configure_sync_pipe_ad.html#sync_ad_pd). |