William, What about setting ops_authent_prefix to something different? It will not lock the accounts, but in effect it's likely to look the same ... If you set ops_authent_prefix to 'hagahaga' and a user connected (to the OS) as joe tries sqlplus / Oracle will try to connect to hagahagajoe, which is unlikely to exist. The only risk is if the user explicitly connects as ops$joe AND if the account has an Oracle password (which sometimes happens, when people need to remotely connect). Hope that helps. Stephane Faroult RoughSea Ltd <http://www.roughsea.com> Konagora <http://www.konagora.com> RoughSea Channel on Youtube <http://www.youtube.com/user/roughsealtd> Blanchard, William wrote: > > Greetings, > > We have a legacy app that is currently using OPS$ accounts to log the > users into the database. Since this is a purchased application that > is no longer supported by the company we purchased it from, changing > the code isn’t possible. Has anyone found a way to get rid of these > accounts? If not, is there a “best practice” for locking down the > OPS$ accounts? > > > Thank you, > > WGB > > - > > This email and any information, files, or materials transmitted with it > are confidential and are solely for the use of the intended recipient. > If you have received this email in error, please delete it and notify > the sender. > > -- //www.freelists.org/webpage/oracle-l