--- title: "The password policy state extended operation and the manage-account tool" description: PingDirectory server supports a proprietary password policy state extended operation that can retrieve and manipulate virtually any kind of password policy state information in a user's entry. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_security_guide:pd_sec_pw_policy_state_ext_operation canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_security_guide/pd_sec_pw_policy_state_ext_operation.html revdate: September 13, 2023 --- # The password policy state extended operation and the `manage-account` tool PingDirectory server supports a proprietary [password policy state extended operation](https://docs.ldap.com/ldap-sdk/docs/javadoc/index.html?com/unboundid/ldap/sdk/unboundidds/extensions/PasswordPolicyStateExtendedRequest.html) that can retrieve and manipulate virtually any kind of password policy state information in a user's entry. This includes: * Retrieving the DN of the password policy that governs the user * Retrieving a flag that indicates whether the server considers the account usable * Retrieving a set of error, warning, and notice conditions that can affect the account's usability * Determining whether the account has a static password * Retrieving and updating the flag indicating whether an account is disabled * Retrieving and updating the account's activation and expiration times * Retrieving and updating the account's password changed time * Determining whether the user's password is expired * Retrieving the account's password expiration time, which is computed from the password changed time * Retrieving and updating the account's password expiration warned time * Retrieving and updating the set of grace login use times * Retrieving and updating the record of failed authentication attempts * Retrieving and overriding a failure-based account lockout * Retrieving the time that an account was failure locked * Retrieving and updating an account's last login time * Retrieving and updating an account's last login IP address * Retrieving and clearing an account's recent login history * Retrieving the length of time until an upcoming idle lockout * Retrieving and updating the account's "must change password" flag * Determining whether an account is reset locked * Retrieving the length of time until an password reset lockout * Retrieving the number of passwords in the user's history and clearing the history * Determining whether a user has a retired password and purging the retired password * Retrieving the set of SASL mechanisms that are available to the user * Retrieving the set of one-time passcode (OTP) delivery mechanisms that are available to the user * Determining whether the user has any TOTP shared secrets * Registering and deregistering TOTP shared secrets * Determining whether the user has any registered YubiKey OTP devices * Registering and deregistering YubiKey OTP devices * Retrieving and updating the time that bind password validation was last performed for the user * Retrieving and clearing password validation lockout The server also includes a manage-account tool that provides command-line access to the functionality of the password policy state extended operation.