Effective user and group management is fundamental to Linux system administration. Understanding how to create, modify, and manage user accounts and groups ensures proper security, resource allocation, and access control in multi-user environments.
User and Group Configuration Files
Linux stores user and group information in several key configuration files:
username:x:1001:1001:User Name:/home/username:/bin/bash
└─ username:password:UID:GID:GECOS:homedir:shell
/etc/group # Group information
groupname:x:1001:user1,user2,user3
└─ groupname:password:GID:member_list
/etc/shadow # Secure user passwords
username:$6$rounds=656000$...:18888:0:99999:7:::
└─ username:password:last_change:min:max:warn:inactive:expire
/etc/gshadow # Secure group passwords
groupname:!:::user1,user2
└─ groupname:password:admins:members
User Management Commands
useradd - Create Users
Create new user accounts with various options.
Common Options:
-m- Create home directory-s /bin/bash- Set login shell-g group- Primary group-G groups- Supplementary groups-c "comment"- User description-u UID- Specific user ID
Example: useradd -m -s /bin/bash john
usermod - Modify Users
Modify existing user account properties.
Common Options:
-l newname- Change username-g group- Change primary group-aG groups- Append supplementary groups-s shell- Change login shell-L- Lock account-U- Unlock account
Example: usermod -aG sudo john
userdel - Delete Users
Remove user accounts from the system.
Common Options:
-r- Remove home directory and mail spool-f- Force removal (even if user is logged in)
Examples:
userdel john- Remove user onlyuserdel -r john- Remove user and home directory
Group Management Commands
groupadd - Create Groups
Create new group accounts.
Common Options:
-g GID- Specific group ID-r- Create system group-f- Force (ignore if group exists)
Examples:
groupadd developers- Create regular groupgroupadd -g 2001 developers- With specific GID
groupmod - Modify Groups
Modify existing group properties.
Common Options:
-g newGID- Change group ID-n newname- Change group name
Examples:
groupmod -n devs developers- Rename groupgroupmod -g 2002 devs- Change GID
groupdel - Delete Groups
Remove groups from the system.
Important Notes:
- Cannot delete primary group of existing users
- Ensure no files are owned by the group
- Remove users from group first if needed
Example: groupdel developers
Password and Account Management
passwd - Password Management
Set or change user passwords and password policies.
Common Uses:
passwd- Change own passwordpasswd john- Change another user's password (root)passwd -l john- Lock user accountpasswd -u john- Unlock user accountpasswd -S john- Show password status
id - User Identity
Display user and group information.
Common Options:
id- Current user infoid john- Specific user infoid -u- Display only user IDid -g- Display only primary group IDid -G- Display all group IDsid -n- Display names instead of IDs
who, w, last - User Sessions
Monitor user activity and login sessions.
Commands:
who- Show logged-in usersw- Show users and what they're doinglast- Show login historylastlog- Last login for all usersusers- Show logged-in usernames
• 0 - Root user
• 1-999 - System users and groups
• 1000-60000 - Regular users and groups
• 65534 - Nobody user (nfsnobody)
Always check available UIDs/GIDs with:
getent passwd | cut -d: -f3 | sort -n
User and Group Types
| Type | UID/GID Range | Purpose | Examples |
|---|---|---|---|
| Root User | 0 | Superuser with full system access | root |
| System Users | 1-999 | Service accounts for daemons and system processes | www-data, mysql, postgres |
| Regular Users | 1000-60000 | Human users with limited privileges | john, sarah, developer1 |
| Primary Group | Same as UID | Default group for user's files | john (user's primary group) |
| Supplementary Groups | Any | Additional groups for resource access | sudo, developers, admin |
Practical Examples
Complete User and Group Management Workflow
# 1. Create a new development team group
sudo groupadd -g 2001 developers
sudo groupadd -g 2002 designers
# 2. Create users with home directories and specific shells
sudo useradd -m -s /bin/bash -c "John Developer" -g developers -G sudo john
sudo useradd -m -s /bin/bash -c "Sarah Designer" -g designers sarah
sudo useradd -m -s /bin/bash -c "Mike Developer" -g developers mike
# 3. Set passwords for new users
sudo passwd john
sudo passwd sarah
sudo passwd mike
# 4. Verify user creation
id john
id sarah
getent passwd john
getent group developers
# 5. Add users to additional groups
sudo usermod -aG developers sarah # Sarah can also access developer resources
sudo usermod -aG designers john # John can access designer resources
# 6. Create a shared directory with proper permissions
sudo mkdir /shared
sudo chown root:developers /shared
sudo chmod 2775 /shared # SetGID bit for group inheritance
ls -ld /shared
# 7. Test group membership
sudo -u john touch /shared/john_file.txt
sudo -u sarah touch /shared/sarah_file.txt
ls -l /shared/
# 8. Monitor user activity
who
w
last | head -10
# 9. Modify user properties
sudo usermod -s /bin/zsh john # Change John's shell to zsh
sudo usermod -c "John Senior Developer" john # Update comment
# 10. Clean up (if needed)
# sudo userdel -r john
# sudo userdel -r sarah
# sudo userdel -r mike
# sudo groupdel developers
# sudo groupdel designersAdvanced User Management
adduser (Debian/Ubuntu)
Interactive user creation tool with sensible defaults.
Features:
- Interactive prompts
- Automatic home directory creation
- Password setting during creation
- User-friendly for beginners
Example: sudo adduser john
chage - Password Aging
Manage user password expiration and aging policies.
Common Options:
-l- List password aging info-m days- Minimum password age-M days- Maximum password age-W days- Warning period-I days- Inactive period-E date- Account expiration date
getent - Get Database Entries
Query various system databases including users and groups.
Examples:
getent passwd- All usersgetent passwd john- Specific usergetent group- All groupsgetent group developers- Specific groupgetent shadow john- Shadow entry
Security Best Practices
- Strong Passwords: Enforce password complexity requirements
- Regular Audits: Periodically review user accounts and group memberships
- Principle of Least Privilege: Grant only necessary permissions
- Account Locking: Lock unused or compromised accounts immediately
- Password Aging: Implement password expiration policies
- Secure Defaults: Use secure umask and home directory permissions
- Monitor Logins: Regularly check authentication logs
- Remove Orphaned Accounts: Delete accounts for departed users
Common Security Commands
# Check for users with no password
sudo getent shadow | grep '^[^:]*::'
# Check for users with UID 0 (besides root)
sudo getent passwd | grep ':0:'
# Find world-writable files in home directories
find /home -perm -0002 -type f
# Check last logins for all users
lastlog
# Monitor failed login attempts
sudo grep "Failed password" /var/log/auth.logTroubleshooting Common Issues
# Check user's groups and permissions
id username
groups username
ls -la /path/to/fileUser Cannot Login:
# Check account status and shell
passwd -S username
getent passwd username
cat /etc/passwd | grep usernameHome Directory Issues:
# Verify home directory permissions
ls -ld /home/username
ls -la /home/username/
sudo chmod 755 /home/username
sudo chown username:username /home/username -RGroup Membership Problems:
# Reload group membership without logout
newgrp groupname
# Or use sg command
sg groupname -c "command"
• Always use
sudo for user/group management commands• Be extremely careful with
userdel -r as it permanently deletes user data• Regularly audit system for unauthorized users or groups
• Use
passwd -l to lock accounts instead of deleting when users leave temporarily• Ensure proper backup before making bulk user/group changes
Key Takeaways
Effective user and group management is essential for Linux system security and organization. Mastering commands like useradd, usermod, userdel, groupadd, and passwd enables proper access control and resource management. Remember to follow security best practices, regularly audit user accounts, and implement the principle of least privilege. Understanding the relationship between users, groups, and file permissions creates a solid foundation for multi-user system administration.
Next Step: Explore Linux process management to understand how the system handles running programs, service management, and resource monitoring.