Showing results for 
Search instead for 
Did you mean: 

Determining if a endUser password/pin is locked


I'm tasked with providing a credential unlock for CUCM endusers. Looking at the AXL schema and doing some trial & error I found that pinCredentials.pinResetHackCount / passwordCredentials.pwdResetHackCount is what I'm looking for.. setting this to true in a user update resets the history. But, extracting the user, it seems I'm missing some properties that are visible in ccmadmin. So, given that locking yourself out by trying the wrong credential for too many times does not set any property gettable by AXL, the question is: how can I know if a user's pin or password credential has been locked?


The same seems to be possible via CUPI. There's the "Hacked" property that if true means the user has been locked out for trying an incorrect credential too many times.

Cisco Employee

It looks like the missing info is in the 'credentialdynamic' table - not accessible via regular AXL requests, as far as I can tell, so you will need to use <executeSqlQuery>.

I think something like this, might get you pretty close:

<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:xsi="" xmlns:xsd="" xmlns:soap="">
    <ns:executeSQLQuery xmlns:ns="">
      <sql xsi:type="xsd:string">select enduser.userid, tkcredential, credential.timeadminlockout, credentialdynamic.timehackedlockout
		from enduser, credential, credentialdynamic
		where credential.fkenduser = enduser.pkid and
	  	credential.pkid = credentialdynamic.fkcredential and
      	enduser.userid = 'dstaudtTest' 
<soapenv:Envelope xmlns:soapenv="">
      <ns:executeSQLQueryResponse xmlns:ns="">

( where tkcredential = 3 is password, 4 is pin)

Content for Community-Ad