search cancel

Error: "ORA-28000: the account is locked" in Symantec DLP Enforce


Article ID: 160068


Updated On:


Data Loss Prevention Enforce Data Loss Prevention


One of these messages appears in Symantec Data Loss Prevention (DLP) Enforce.

  • Oracle Protect account locked. 
  • Oracle Alert log: “ORA-28000: the account is locked"
  • IncidentPersister0.log Or MonitorController0.log: ORA-01017: invalid username/password; logon denied.


Oracle locks the DLP user account (default is PROTECT) after too many failed attempts to log in to DLP Enforce. This can occur during installation or when the DLP user account password was changed in the DB but not in the Enforce configuration.


There are two ways to unlock the Oracle database account: 

  • From the Oracle Enterprise Manager 
  • From the command line using SQL*Plus


a. Unlock using Oracle Enterprise Manager

  1. From the Oracle Enterprise Manager, select Network > Databases > Security > Users
  2. Edit the protect user, then select the unlocked radio button.


b. Unlock from the command line using SQL*Plus

  1. Load SQL*Plus.  'sqlplus /nolog' from command prompt.
  2. Connect to the database as sysdba.  'connect sys as sysdba'
  3. Check what is locked and what is not locked with the following command:
    select account_status from dba_users where username='[username]';

    select account_status from dba_users where username='PROTECT';
    Note: Remember to add the semicolon or the command will not execute.

  4. To unlock the [username] (without brackets) account, enter the following command:
    alter user [username] account unlock;

    alter user PROTECT account unlock;
  5. Rerun step 2 to verify success.


Changing the password for the DLP DB account (default name PROTECT) used by the Enforce server:

NOTE: The examples assume a Windows installation; for Linux, substitute the appropriate paths (e.g. /opt/Vontu/Protect/bin)

  1. Start a command prompt and move to the bin directory:
    <DLP 15.0 and older> cd *\SymantecDLP\Protect\bin

    <DLP 15.1 and later> cd *\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\bin
  2. Change the Oracle password in the configuration file:

For version 15.0 and earlier the syntax for DBPasswordChanger is:

DBPasswordChanger <PasswordFilePath> <New Oracle Password>

e.g. for Windows
DBPasswordChanger c:\SymantecDLP\protect\config\ potato

./DBPasswordChanger "opt\SymantecDLP\protect\config\" potato.


For version 15.1 and later The syntax for DBPasswordChanger is:

DBPasswordChanger <PasswordFilePath> <New Oracle Password>

e.g. for Windows:
DBPasswordChanger "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\config\" potato

./DBPasswordChanger "opt\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\config\" potato.