To generate notifications whenever appropriate password policy state changes occur in the server, the password policy that governs the entry being updated must be configured to use one or more account status notification handlers. By default, password policies are not configured with any such handlers, and therefore, no account status notifications will be generated.

The set of account status notification handlers that should be in use for a password policy is controlled by the account-status-notification-handler property for that password policy. It can be configured using dsconfig or the Administrative Console. For example, the following change updates the default password policy, so that the error log account status notification handler will be invoked for any appropriate password policy state changes for entries governed by the default password policy:
$ bin/dsconfig set-password-policy-prop \ 
  --policy-name "Default Password Policy" \ 
  --set "account-status-notification-handler:Error Log Handler"