Error: "ORA-28000: the account is locked" in Symantec DLP Enforce
search cancel

Error: "ORA-28000: the account is locked" in Symantec DLP Enforce


Article ID: 160068


Updated On:


Data Loss Prevention Enforce Data Loss Prevention


One of these messages appears in Symantec Data Loss Prevention (DLP) Enforce.

  • Oracle Protect account locked. 
  • Oracle Alert log: “ORA-28000: the account is locked"
  • IncidentPersister0.log Or MonitorController0.log: ORA-01017: invalid username/password; logon denied.


Oracle locks the DLP user account (default is PROTECT) after too many failed attempts to log in to DLP Enforce. This can occur during installation or when the DLP user account password was changed in the DB but not in the Enforce configuration.


There are two ways to unlock the Oracle database account: 

  • From the command line using SQL*Plus
  • From the Oracle Enterprise Manager (not everyone will have access to this method)


A. Unlock from the command line using SQL*Plus

  1. Load SQL*Plus.  'sqlplus /nolog' from command prompt.
  2. Connect to the database as sysdba.  'connect sys as sysdba'
  3. Check what is locked and what is not locked with the following command:
    select account_status from dba_users where username='[username]';

    select account_status from dba_users where username='PROTECT';
    Note: Remember to add the semicolon or the command will not execute.

  4. To unlock the [username] (without brackets) account, enter the following command:
    alter user [username] account unlock;

    alter user PROTECT account unlock;
  5. Rerun step 2 to verify success.


B. Unlock using Oracle Enterprise Manager, if you have access.

  1. From the Oracle Enterprise Manager, select Network > Databases > Security > Users
  2. Edit the protect user, then select the unlocked radio button.

Additional Information

If you need to CHANGE the "Protect" password, please refer to the KB article below which will walk you through that process: