I must say that I'm not in favor of such solution. If you want to lock the OPS$, then just lock them. Using the solution below or solution as revoking "create sessions" and such will work, but can cause pain when migrating the database. When you lock the account, it is clear to everyone that that user is not allowed to log in. just my 2 eurocent regards, Freek D'Hooge Uptime Oracle Database Administrator email: freek.dhooge@xxxxxxxxx tel +32(0)3 451 23 82 http://www.uptime.be disclaimer: www.uptime.be/disclaimer ________________________________________ From: oracle-l-bounce@xxxxxxxxxxxxx [oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Blanchard, William [wblanchard@xxxxxxxxxxxxxxxxxxxx] Sent: 11 June 2010 20:20 To: Stephane Faroult Cc: ORACLE-L; oracledba@xxxxxxxxxxx Subject: RE: Replacing OPS$ accounts Hmmm. Interesting. I'll test this out and let you know. WGB -----Original Message----- From: Stephane Faroult [mailto:sfaroult@xxxxxxxxxxxx] Sent: Friday, June 11, 2010 12:40 PM To: Blanchard, William Cc: ORACLE-L; oracledba@xxxxxxxxxxx Subject: Re: Replacing OPS$ accounts William, What about setting ops_authent_prefix to something different? It will not lock the accounts, but in effect it's likely to look the same ... If you set ops_authent_prefix to 'hagahaga' and a user connected (to the OS) as joe tries sqlplus / Oracle will try to connect to hagahagajoe, which is unlikely to exist. The only risk is if the user explicitly connects as ops$joe AND if the account has an Oracle password (which sometimes happens, when people need to remotely connect). Hope that helps. Stephane Faroult RoughSea Ltd <http://www.roughsea.com> Konagora <http://www.konagora.com> RoughSea Channel on Youtube <http://www.youtube.com/user/roughsealtd> Blanchard, William wrote: > > Greetings, > > We have a legacy app that is currently using OPS$ accounts to log the > users into the database. Since this is a purchased application that > is no longer supported by the company we purchased it from, changing > the code isn’t possible. Has anyone found a way to get rid of these > accounts? If not, is there a “best practice” for locking down the > OPS$ accounts? > > > Thank you, > > WGB > > - > > This email and any information, files, or materials transmitted with it > are confidential and are solely for the use of the intended recipient. > If you have received this email in error, please delete it and notify > the sender. > > - This email and any information, files, or materials transmitted with it are confidential and are solely for the use of the intended recipient. If you have received this email in error, please delete it and notify the sender. m���� �祊�l��?���j����� ��i��0���zX���+��n��{�+i�^