Mapping AD password policy state attributes to PingDirectory using dsconfig
If you have a working sync configuration between PingDirectory and Active Directory (AD) and want to manage password policy state attributes, use the dsconfig
command to map these attributes instead of re-running the sync
command.
About this task
To map AD password policy state attributes to PingDirectory attributes:
Steps
-
Run
dsconfig
with thecreate-attribute-mapping
option.Example:
The following example maps the AD attribute
lockoutTime
to the PingDirectory attributepwdAccountLockedTime
.dsconfig create-attribute-mapping --map-name "<Microsoft Active Directory Users Attribute Map>" --mapping-name pwdAccountLockedTime --type direct --set from-attribute:pwdAccountLockedTimeFromAD
Example:
The following example maps the AD attribute
userAccountControl & (ACCOUNTDISABLE == 2)
to the PingDirectory attributeds-pwp-account-disabled
.dsconfig create-attribute-mapping --map-name "<Microsoft Active Directory Users Attribute Map>" --mapping-name ds-pwp-account-disabled --type direct --set from-attribute:ds-pwp-account-disabled-from-ad
Example:
The following example maps the AD attribute
pwdLastSet
to the PingDirectory attributepwdChangedTime
.dsconfig create-attribute-mapping --map-name "<Microsoft Active Directory Users Attribute Map>" --mapping-name pwdChangedTime --type direct --set from-attribute:pwdChangedTimeFromAD
For more information about synchronizing these AD attributes with PingDirectory, see Synchronizing Active Directory with PingDirectory.