3 basic Linux user management commands every sysadmin should know
How to use the useradd, usermod, and userdel commands is essential knowledge for Linux administrators.
I like logical commands; commands that are simple, straightforward, and just make sense. When I delivered Linux sysadmin training, I found Linux user management commands to be easy to explain.
Great Linux resources
I structured my explanation of account administration like this:
What three things must you do to manage user accounts?
So, what three commands accomplish these tasks? (As in my overview on account administration, these commands are for Red Hat Enterprise Linux and RHEL-like distributions, but the concepts apply to any distribution of Linux.)
Here is a breakdown of how to use these three commands with some of their related options in RHEL.
useradd
The most basic task is to create an account to represent the user who will be working on the system. Each user must authenticate to Linux with an identity that can be used to control their resource access and consumption. User accounts are stored in the /etc/passwd file. That file should not be edited directly by tools such as Vim. Instead, there is useradd , a user-creation utility that adds an account but also accomplishes additional tasks.
Use the useradd command to create accounts:
That’s enough to create the account. However, there are some options you can add. As always, review the associated man page for details. Here are a few common options:
- —create-home ( -m ): Adds a home directory (this is a default on some distributions)
- —shell ( -s ): Sets the user’s preferred shell if it’s different from /bin/bash
- —uid ( -u ): Specifies a particular user ID (UID)
- —comment ( -c ): Populates the comment field (usually with the user’s full name enclosed in quotes)
Settings for the useradd command are stored in the /etc/defaults/useradd file.
Also, don’t forget to set a password for the account by using the passwd command.
Try a few exercises to test these commands:
- Create a user named test1 with a home directory named /home/salesuser .
- Create a user named test2 with zsh as the default shell.
- Create a user named test3 with «Temp User» in the comment field.
Note: These commands require root or administrative privileges, so use the sudo before each command.
[ Geat a free trial of full access to Red Hat’s curriculum. ]
usermod
Now that some user accounts exist on the system, you can modify their settings. You accomplish this with the usermod command and its related options. Modifications may be necessary when users change names, request different shells, or need updated password information.
Standard options for usermod include:
- —comment ( -c ): Modifies the comment field
- —home ( -d ): Modifies home directory information
- —expiredate ( -d ): Changes account-expiration settings
- —login ( -l ): Modifies the username
- —lock ( -L ): Locks a user account
- —unlock ( -U ): Unlocks a user account
Perhaps a user requests an account name change from test2 to testtwo. The command looks like this:
$ sudo usermod --login testtwo \ --comment "Test Two" test2The test2 string is the argument in this command. The —login and —comment options act on that argument to modify the account.
Maybe a user is taking a leave of absence. The user will return, but the account should be inaccessible in the meantime. If an administrator deletes the account, the user’s data, group memberships, and other unique information may be lost or more difficult to access. It’s better to lock the account until their return.
Lock a user account by using the usermod command:
Upon the user’s return, unlock the account:
$ sudo usermod --unlock test1Interestingly, adding a user to a group modifies the user, not the group. Therefore, you manage group membership with the usermod command.
The two primary group membership scenarios are:
- Add a user to a group and remove the user from all other groups
- Add a user to a group and retain the user’s membership in all other groups
Use the —groups ( -G for short) option with usermod to accomplish the first scenario (add a user to a group and remove them from other groups). The —append ( -a for short) option appends a group to the user, and when combined with -G , it retains its membership in other groups.
So, to add the test1 user account to the demo group and retain test1‘s membership in other groups, type:
$ sudo usermod --append --groups demo test1Managing group membership is probably the most challenging use of the usermod command, but Tyler Carrigan’s article Managing local group accounts in Linux covers this topic well.
[ Practice your Linux skills in the free online course RHEL technical overview. ]
userdel
Finally, you might want to remove an account representing a user whose role has changed or is no longer with the organization.
To delete the account, type:
However, before deleting the account, don’t forget about resources such as the user’s home directory or system mail. You will want to ensure those resources get handled according to the organization’s written security policy.
Here are some common options for userdel that address these resources:
- —force ( -f ): Deletes the account (including mail and home directory), even if the user is still logged in
- —remove ( -r ): Deletes the account (including mail and home directory), but the user must be logged out
The userdel command is pretty simple. There aren’t many options, but they can be displayed by typing userdel —help .
Wrap up
Career advice
New Linux users sometimes have difficulty wrapping their heads around how many commands exist and how many of them sysadmins memorize. That memorization comes from years of use and experience. It’s handy, however, when some commands have logical names and simple options.
In RHEL, it doesn’t get much easier than:
It’s worth noting that some Linux distributions provide front end commands to perform the same tasks. For example, the adduser command steps the sysadmin through a series of interactive prompts to create a new user. On a Linux system running a graphical desktop, there are also GUI applications to help manage user accounts.
The three commands to manage groups are similar, and I cover those in another article. Sysadmins really only need to remember these basic commands to manage users and groups.
3.4. Managing Users via Command-Line Tools
When managing users via command line, the following commands are used: useradd , usermod , userdel , or passwd . The files affected include /etc/passwd which stores user accounts information and /etc/shadow , which stores secure user account information.
3.4.1. Creating Users
The useradd utility creates new users and adds them to the system. Following the short procedure below, you will create a default user account with its UID, automatically create a home directory where default user settings will be stored, /home/username/ , and set the default shell to /bin/bash .
Run the following command at a shell prompt as root substituting username with the name of your choice:
By setting a password unlock the account to make it accessible. Type the password twice when the program prompts you to.
Example 3.1. Creating a User with Default Settings
~]# useradd robert ~]# passwd robert Changing password for user robert New password: Re-type new password: passwd: all authentication tokens updated successfully.
Running the useradd robert command creates an account named robert . If you run cat /etc/passwd to view the content of the /etc/passwd file, you can learn more about the new user from the line displayed to you:
robert:x:502:502::/home/robert:/bin/bash
robert has been assigned a UID of 502, which reflects the rule that the default UID values from 0 to 499 are typically reserved for system accounts. GID, group ID of User Private Group , equals to UID. The home directory is set to /home/robert and login shell to /bin/bash . The letter x signals that shadow passwords are used and that the hashed password is stored in /etc/shadow .
If you want to change the basic default setup for the user while creating the account, you can choose from a list of command-line options modifying the behavior of useradd (see the useradd (8) man page for the whole list of options). As you can see from the basic syntax of the command, you can add one or more options:
As a system administrator, you can use the -c option to specify, for example, the full name of the user when creating them. Use -c followed by a string, which adds a comment to the user:
useradd -c "string" usernameExample 3.2. Specifying a User’s Full Name when Creating a User
~]# useradd -c "Robert Smith" robert ~]# cat /etc/passwd robert:x:502:502:Robert Smith:/home/robert:/bin/bash
A user account has been created with user name robert , sometimes called the login name, and full name Robert Smith.
If you do not want to create the default /home/username/ directory for the user account, set a different one instead of it. Execute the command below:
Example 3.3. Adding a User with non-default Home Directory
~]# useradd -d /home/dir_1 robert
If you do not want to create the home directory for the user at all, you can do so by running useradd with the -M option. However, when such a user logs into a system that has just booted and their home directory does not exist, their login directory will be the root directory. If such a user logs into a system using the su command, their login directory will be the current directory of the previous user.
If you need to copy a directory content to the /home directory while creating a new user, make use of the -m and -k options together followed by the path.
Example 3.4. Creating a User while Copying Contents to the Home Directory
The following command copies the contents of a directory named /dir_1 to /home/jane , which is the default home directory of a new user jane :
As a system administrator, you may need to create a temporary account. Using the useradd command, this means creating an account for a certain amount of time only and disabling it at a certain date. This is a particularly useful setting as there is no security risk resulting from forgetting to delete a certain account. For this, the -e option is used with the specified expire_date in the YYYY-MM-DD format.
Do not confuse account expiration and password expiration. Account expiration is a particular date, after which it is impossible to log in to the account in any way, as the account no longer exists. Password expiration, the maximum password age and date of password creation or last password change, is the date, when it is not possible to log in using the password (but other ways exist, such as logging in using an SSH key).
useradd -e YYYY-MM-DD usernameExample 3.5. Setting the Account Expiration Date
User’s login shell defaults to /bin/bash , but can be changed by the -s option to any other shell different from bash, ksh, csh, tsh, for example.
useradd -s login_shell usernameExample 3.6. Adding a User with Non-default Shell
The -r option creates a system account, which is an account for administrative use that has some, but not all, root privileges. Such accounts have a UID lower than the value of UID_MIN defined in /etc/login.defs , typically 500 and above for ordinary users.