For Delegated Admin to reliably indicate a user's account locked status, the Password Policy State JSON virtual attribute must be enabled for the users' object class. In this example, the virtual attribute is enabled for users with object class person, which includes users whose REST resource type structural object class is derived from person (for example, inetOrgPerson).

$ bin/dsconfig set-virtual-attribute-prop \
	--name "Password Policy State JSON" \
  	--set enabled:true \
 	 --set require-explicit-request-by-name:true \
 	 --set "filter:(objectClass=person)"