--- title: Managing user accounts description: Manage user accounts with the manage-account tool. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_manage_user_accts canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_manage_user_accts.html revdate: September 13, 2023 page_aliases: ["pd_ds_return_password_policy_state_info.adoc", "pd_ds_determine_account_disabled.adoc", "pd_ds_disable_account.adoc", "pd_ds_enable_disabled_account.adoc", "pd_ds_assign_manage_acct_access_priv_non_root_users.adoc"] section_ids: about-this-task: About this task steps: Steps returning-the-password-policy-state-information: Returning the password policy state information steps-2: Steps example: Example: result: Result: determining-whether-an-account-is-disabled: Determining whether an account is disabled steps-3: Steps example-2: Example: result-2: Result: disabling-an-account: Disabling an account steps-4: Steps example-3: Example: result-3: Result: enabling-a-disabled-account: Enabling a disabled account steps-5: Steps example-4: Example: result-4: Result: assigning-the-manage-account-access-privileges-to-non-root-users: Assigning the manage-account access privileges to non-root users about-this-task-2: About this task steps-6: Steps example-5: Example: result-5: Result: example-6: Example: example-7: Example: result-6: Result: example-8: Example: result-7: Result: --- # Managing user accounts Manage user accounts with the `manage-account` tool. ## About this task The PingDirectory server provides a user management utility, the `manage-account` tool, that provides a means to quickly view and manipulate several password and account policy properties for a user or group of users. The server also hosts the Self Service Account Manager project at , which is a customizable web application that allows users to perform their own account registration, profile updates, and password changes. | | | | - | ------------------------------------------------------------------------------------------------------------ | | | The project is for testing and development purposes and is not a supported PingDirectory server application. | ## Steps * Unlock a user account with the `manage-account` tool. * To enable a disabled account, contact the administrator for assistance. | | | | - | ----------------------------- | | | Password resets are not used. | ## Returning the password policy state information ### Steps * To get information about the account's password policy, run the `manage-account` tool. #### Example: ```shell $ bin/manage-account get-all \ --targetDN uid=user.1,ou=People,dc=example,dc=com ``` #### Result: ``` Password Policy DN: cn=Demo Password Policy,cn=Password Policies,cn=config Account Is Disabled: false Account Expiration Time: Seconds Until Account Expiration: Password Changed Time: 19700101000000.000Z Password Expiration Warned Time: Seconds Until Password Expiration: 1209600 Seconds Until Password Expiration Warning: 0 Authentication Failure Times: Seconds Until Authentication Failure Unlock: Remaining Authentication Failure Count: 3 Last Login Time: Seconds Until Idle Account Lockout: Password Is Reset: false Seconds Until Password Reset Lockout: Grace Login Use Times: Remaining Grace Login Count: 0 Password Changed by Required Time: Seconds Until Required Change Time: Password History: ``` ## Determining whether an account is disabled ### Steps * To determine whether a user's account has been disabled, run the `manage-account` tool with the `get-account-is-disabled` subcommand. #### Example: ```shell $ bin/manage-account get-account-is-disabled \ --targetDN uid=user.1,ou=People,dc=example,dc=com ``` #### Result: If the account has been disabled, you receive the following message. `Account Is Disabled: true` ## Disabling an account ### Steps * To disable a user's account, run the `manage-account` tool. #### Example: ```shell $ bin/manage-account set-account-is-disabled \ --operationValue true --targetDN uid=user.1,ou=People,dc=example,dc=com ``` #### Result: You receive the following message.`Account Is Disabled: true` ## Enabling a disabled account ### Steps * To enable a user's account, run the `manage-account` tool with the `clear-account-is-disabled` subcommand. #### Example: ```shell $ bin/manage-account clear-account-is-disabled \ --targetDN uid=user.1,ou=People,dc=example,dc=com ``` #### Result: You receive the following message.`Account Is Disabled: false` ## Assigning the manage-account access privileges to non-root users Assign access rights to the non-root admin user. ### About this task Non-root users, such as `uid=admin`, with admin right privileges require access control permission to interact with certain password policy operational attributes when using the `manage-account` tool. For example, the presence of the `ds-pwp-account-disabled` operational attribute in an entry determines that the entry is disabled. If the non-root admin user does not have the access privilege to read or interact with the `ds-pwp-account-disabled` operational attribute, the `manage-account` tool might report that the account is active. An account is considered active if the `ds-pwp-account-disabled` operational attribute does not exist in the entry or if the admin user does not have permission to see it. ### Steps 1. Create a non-root user admin account, such as `uid=admin,dc=example,dc=com`. 1. Grant the `password-reset` privilege to the account. Learn more in steps 1 and 6 of [Setting up a single administrator account](pd_ds_config_admin_accounts.html#setup_single_admin). 2. To view the account status for an account, run the `manage-account` tool. #### Example: ```shell $ bin/manage-account get-all \ --targetDN uid=user.0,ou=People,dc=example,dc=com ``` #### Result: The system displays the following information for the account. ``` Password Policy DN: cn=Default Password Policy,cn=Password Policies,cn=config Account Is Disabled: false Account Expiration Time: Seconds Until Account Expiration: Password Changed Time: 19700101000000.000Z Password Expiration Warned Time: Seconds Until Password Expiration: Seconds Until Password Expiration Warning: Authentication Failure Times: Seconds Until Authentication Failure Unlock: Remaining Authentication Failure Count: Last Login Time: Seconds Until Idle Account Lockout: Password Is Reset: false Seconds Until Password Reset Lockout: Grace Login Use Times: Remaining Grace Login Count: 0 Password Changed by Required Time: Seconds Until Required Change Time: Password History: ``` 3. Grant access control privileges to an account. #### Example: The following allows access to manage accounts to a helpdesk user. Depending on the configuration requirements, this user might also need the `permit-get-password-policy-state-issues` and `password-reset` privileges. ``` dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr="userPassword||ds-pwp-last-login-time||ds-pwp-password-changed-by-required-time||ds-pwp-reset-time||ds-pwp-warned-time|| ds-pwp-account-disabled||ds-pwp-account-expiration-time||ds-pwp-password-policy-dn||ds-pwp-auth-failure||ds-pwp-last-login-ip-address|| ds-pwp-retired-password||ds-pwp-account-activation-time||pwdReset||pwdChangedTime||pwdAccountLockedTime") (version 3.0; acl "Grant full access to PWP related attributes to helpdesk"; allow (all) userdn="ldap:///uid=helpdesk,dc=example,dc=com";) ``` 4. To disable an account, run the `manage-account` tool. #### Example: The following command sets the `account-is-disabled` property to true for the `uid=user.0,dc=example,dc=com`. ```shell $ bin/manage-account set-account-is-disabled \ --targetDN uid=user.0,ou=People,dc=example,dc=com \ --operationValue true ``` #### Result: You receive the following message.`Account Is Disabled: true` 5. To view the presence of the `ds-pwp-account-disabled` operational attribute in the entry, run the `ldapsearch` tool. #### Example: ```shell $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" "+" ``` #### Result: The system displays the following information. ``` dn: uid=user.0,ou=People,dc=example,dc=com ds-pwp-account-disabled: true ```