Are there any undesirable effects if I disable all oracle admin accounts (sys, sysman..) and use new admin accounts? I'm afraid oracle itself might use such default admin accounts for processing?
Thanks.
oracle
Are there any undesirable effects if I disable all oracle admin accounts (sys, sysman..) and use new admin accounts? I'm afraid oracle itself might use such default admin accounts for processing?
Thanks.
Best Answer
You can't lock/disable SYSDBA accounts (e.g., SYS), due to the fact that they don't authenticate to the database in the same way. Here's a little test I ran on a regular user that I granted SYSDBA to, then locked the account. The user can still get in as SYSDBA, just not as a normal user:
Of course, if I can get in as a SYSDBA user, then I can just unlock my account and get in as a normal user again.
I'm not sure why you would actually want to do this. It doesn't seem like a good idea. If you could actually lock the SYSDBA accounts, you could render your database inaccessible. Aside from SYS and SYSTEM, all accounts created by Oracle when the database is created are locked by default anyway. What are you trying to accomplish?
EDIT:
Here is the only scenario in which SYSDBA's could get locked out:
This scenario means you're pretty much screwed anyway. It also assumes you can't modify the sqlnet.ora file where the authentication_services parameter is defined, else you could set it back to NTS to allow OS authentication (assumes windows).