REM but an ADMINISTRATIVE logon AS SYSDBA goes through successfully !!
- The check does NOT get enforced for local OS based Authentication.
- The check gets enforced for both password file based authentication and LDAP based Authentication making use of Oracle Internet Directory.
- Password file does not host information about user' account status and relies on the relevant dictionary (user$ table to be precise) queryable state. So the account lock check is enforced, only when instance is up and running. So if the DB is down, Oracle will not perform any check on locked account status and allows the SYSDBA connection to go through successfully, even when, the user account may be locked.
- SYS user is exempted from this check. So even if SYS user is explicitly locked via "ALTER USER ACCOUNT LOCK" DDL, SYSDBA connection as SYS user will go through successfully. From a security stand point, one may argue against this cotton-wool treatment for SYS user, but SYS is considered like an equivalent of ROOT in *nix enviornment and is expected to have unbridled access to the system. So it is _OK_ to have him logged in irrespective of whatever his account status may be.
- The check is limited to ACCOUNT STATUS and still does not take the PASSWORD STATUS into account. So if administrative user' password is EXPIRED, a DIRECT logon would raise ORA-28001 error and logon will NOT proceed without a password change. However, an ADMINISTRATIVE logon AS SYSDBA goes through successfully without ORA-28001 error being raised during logon and any prompt for password change prompt.
- "SYS user exemption from account lock check" is NOT available in 22.214.171.124. This was rectified in 126.96.36.199 and was duly noted by Paul Wright in his blog post on July 2014 CPU "In other news I noticed that the stealth SYS locking feature is now reverted by Oracle in 188.8.131.52 – good move in my view. Maybe some more to come on this in the future."
- RDBMS 184.108.40.206.0 also supports locked account status check for administrative privileged logons
- "SYS user exemption from account lock check" is NOT available in 220.127.116.11.
- RDBMS 18.104.22.168 and prior versions does not perform any account status related check on administrative logons
- 12c Security Guide Enterprise Security Based Authentication
- Automatic Locking of User Accounts After Failed Logins
- Pete Finnigan's answer on whether it is possible to lock out SYS