To map AD password policy state attributes to PingDirectory attributes:

  • Run dsconfig with the create-attribute-mapping option.

    The following example maps the AD attribute lockoutTime to the PingDirectory attribute pwdAccountLockedTime.

    dsconfig create-attribute-mapping 
    	--map-name "<Microsoft Active Directory Users Attribute Map>" 
    	--mapping-name pwdAccountLockedTime
    	--type direct
    	--set from-attribute:pwdAccountLockedTimeFromAD

    The following example maps the AD attribute userAccountControl & (ACCOUNTDISABLE == 2) to the PingDirectory attribute ds-pwp-account-disabled.

    dsconfig create-attribute-mapping
    	--map-name "<Microsoft Active Directory Users Attribute Map>"
    	--mapping-name ds-pwp-account-disabled 
    	--type direct
    	--set from-attribute:ds-pwp-account-disabled-from-ad

    The following example maps the AD attribute pwdLastSet to the PingDirectory attribute pwdChangedTime.

    dsconfig create-attribute-mapping
    	--map-name "<Microsoft Active Directory Users Attribute Map>" 
    	--mapping-name pwdChangedTime
    	--type direct
    	--set from-attribute:pwdChangedTimeFromAD
    Note:

    For more information about synchronizing these AD attributes with PingDirectory, see Synchronizing Active Directory with PingDirectory.