"I not sure that you have stated what you are trying to achieve here" Good question ;-). It's Friday and I need a beer ;-). We have remote_os_authent set to true so that the application - on a different server - can authenticate the users once they have logged into the application (an SSO of sorts). I guess what I'm really looking for is the "best practice" to secure the database given the constraints of having the OPS$ accounts. I don't mind if the users can get into the database via the application, the issue is that this also means they can log into the db using sqlplus, etc. WGB From: Neil Chandler [mailto:neil_chandler@xxxxxxxxxxx] Sent: Friday, June 11, 2010 3:38 PM To: Blanchard, William; oracle-l@xxxxxxxxxxxxx; oracledba@xxxxxxxxxxx Subject: RE: Replacing OPS$ accounts William, I not sure that you have stated what you are trying to achieve here. Why are you trying to get rid of the OPS$ accounts if that is the way that the application works? If you want the accounts locked (i.e. so they are completely unusable), use the ALTER USER <username> ACCOUNT LOCK command, or drop the users. What are you trying to prevent? Users logging into the application, or users logging into the database using SQL*Plus, TOAD or some other "back door" application? There is nothing implicitly wrong with using OPS$ accounts, as long as you are not allowing remote_os_authent (and thus allowing the potential for an account to be spoofed on another platform). You are simply transferring the authorisation from Oracle to the Operating system. regards Neil Chandler Oracle DBA _____ Subject: Replacing OPS$ accounts Date: Fri, 11 Jun 2010 12:02:34 -0500 From: wblanchard@xxxxxxxxxxxxxxxxxxxx To: oracle-l@xxxxxxxxxxxxx; oracledba@xxxxxxxxxxx Greetings, We have a legacy app that is currently using OPS$ accounts to log the users into the database. Since this is a purchased application that is no longer supported by the company we purchased it from, changing the code isn't possible. Has anyone found a way to get rid of these accounts? If not, is there a "best practice" for locking down the OPS$ accounts? Thank you, WGB - This email and any information, files, or materials transmitted with it are confidential and are solely for the use of the intended recipient. If you have received this email in error, please delete it and notify the sender. _____ Get a new e-mail account with Hotmail - Free. Sign-up now. <http://clk.atdmt.com/UKM/go/197222280/direct/01/>