Error
Error Code:
ORA-28052
Oracle Error ORA-28052: Account Disabled
Description
The ORA-28052 error indicates that an enterprise user's account has been disabled in the directory service. This prevents the user from authenticating and accessing the Oracle database.
Error Message
the account is disabled
Known Causes
3 known causesDisabled Directory Account
The enterprise user's account has been explicitly disabled within the directory service (e.g., Active Directory, Oracle Internet Directory).
Account Lockout Policy
The directory account has been locked out due to exceeding the maximum number of failed login attempts as defined by the directory's security policy.
Expired Account
The enterprise user account has reached its expiration date, rendering it inactive and preventing logins.
Solutions
4 solutions available1. Unlock the User Account easy
Directly unlock the disabled user account.
1
Connect to the Oracle database as a user with DBA privileges (e.g., SYS or SYSTEM).
sqlplus sys as sysdba2
Execute the ALTER USER command to unlock the account. Replace `username` with the actual username that is disabled.
ALTER USER username ACCOUNT UNLOCK;3
Verify the account status. Replace `username` with the actual username.
SELECT username, account_status FROM dba_users WHERE username = 'USERNAME';2. Reset User Password and Unlock Account easy
Reset the user's password and unlock the account simultaneously.
1
Connect to the Oracle database as a user with DBA privileges (e.g., SYS or SYSTEM).
sqlplus sys as sysdba2
Execute the ALTER USER command to reset the password and unlock the account. Replace `username` with the actual username and `'new_password'` with a strong, new password.
ALTER USER username IDENTIFIED BY "new_password" ACCOUNT UNLOCK;3
Inform the user of their new password and instruct them to change it upon their next login if required by security policy.
3. Review and Adjust Password Expiration Policies medium
Investigate if the account is disabled due to password expiration and adjust policies if necessary.
1
Connect to the Oracle database as a user with DBA privileges (e.g., SYS or SYSTEM).
sqlplus sys as sysdba2
Check the password expiration date for the specific user. Replace `username` with the actual username.
SELECT username, account_status, expiry_date FROM dba_users WHERE username = 'USERNAME';3
If the account is disabled due to password expiration, you can either unlock it (as in Solution 1) or reset the password (as in Solution 2).
4
To modify password expiration policies for a user (e.g., set it to never expire or extend the expiration), use the ALTER USER command. Replace `username` with the actual username.
ALTER USER username PASSWORD EXPIRE;
-- Or to set a new expiration date (YYYY-MM-DD):
-- ALTER USER username PASSWORD EXPIRE (TO_DATE('2024-12-31', 'YYYY-MM-DD'));
-- Or to never expire (use with caution):
-- ALTER USER username PASSWORD NOT EXPIRE;4. Investigate Account Lockout Due to Failed Logins medium
Determine if the account was locked due to excessive failed login attempts.
1
Connect to the Oracle database as a user with DBA privileges (e.g., SYS or SYSTEM).
sqlplus sys as sysdba2
Check the `dba_users` view for the `account_status`. An account locked due to failed logins will typically show 'LOCKED' or 'LOCKED (TIMED)'.
SELECT username, account_status FROM dba_users WHERE username = 'USERNAME';3
To unlock the account, use the `ALTER USER ... ACCOUNT UNLOCK;` command (as in Solution 1).
ALTER USER username ACCOUNT UNLOCK;4
To investigate the cause further, examine the Oracle audit trail (if enabled) or the alert log for failed login attempts related to the user.
5
Consider adjusting the `FAILED_LOGIN_ATTEMPTS` and `PASSWORD_LOCK_TIME` profile parameters if this is a recurring issue. Connect as SYSDBA and run:
ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS UNLIMITED;
ALTER PROFILE DEFAULT LIMIT PASSWORD_LOCK_TIME UNLIMITED;6
Note: Modifying the `DEFAULT` profile affects all users not assigned a specific profile. It's often better to create a custom profile for specific users or groups.