Adding and managing users and groups
Beyond the Basics

The command line provides all the necessary tools for creating and maintaining multiple accounts. By understanding these commands, you can more effectively manage your system.
If you have ever done any system administration, chances are you have added an account or a group. However, both tasks offer possibilities beyond the plain command. Not only do numerous options exist to modify the basic command, but a variety of other commands are available for manipulating users and groups and viewing their activities.
Users and groups are means of controlling access to a Linux system. A user account gives normal access to a system, whereas user membership in a group gives access to different hardware, subsystems, and files. Typically, each user account is matched with a group of the same name, so that users can access the files in their home directory. In some distributions, only the ordinary user created during installation has full non-root access, and you might have to add new users to each group to which the first user belongs.
Adding and Deleting
In Debian-based distributions, the easiest way to create a new user is with adduser
, a script that leads you through the process. After you enter the command adduser NAME
, you are prompted for a name, a password, and optional contact information that in effect turns a list of users into a contact list. Other information, such as the user ID (UID), is created for you, starting with 1000
(Figure 1). Non-Debian distributions also include adduser
, but in most cases it is an alias for useradd
.

In all distributions, the basic command for creating users is useradd
. However, unlike adduser
, entering the command and a username is not enough. To start, you need to create a home directory for the account with --create-home
(-m
). If you do not want the home directory to be a subfolder of /home
, you need to specify the base directory with --base-dir DIRECTORY
(-b
). When making a home directory, you probably want to include the option --skel DIRECTORY
(-k
) to add default files to it.
Additionally, you'll probably want to specify the password with --password PASSWORD
(-p
) and groups beside the account's own group with --group GROUPS
(-G
). Other characteristics of the account will be those listed by entering useradd -D
, an option that can also be used for editing the defaults with useradd -D OPTION
. You can also specify the account's shell with --shell SHELL
(-s
) and its UID with --uid UID
(-u
) (Figure 2).
The useradd
command can also set a couple of options for user's passwords, although they seem to be little used on smaller systems. For example, with --expire DATE
(-e
), you can set the date on which an account's password expires. Usually, you will want to accompany --expire
with --inactive DAYS
(-f
), to set the number of days after expiration to disable an account. When the account is disabled, its files are preserved, but the user cannot log in.
Except for the options for password expiration, groups have a similar set of commands. Both the Debian addgroup
command and the more generally used groupadd
have options similar to adduser
. In both, you can specify the group ID (GID) and a password. The main difference from the basic user commands is that in both group commands you can use the --system
option to create a group that helps to run the system, instead of one to which users can be assigned.
To remove users, Debian-based systems have groupdel
, with the convenient option --backup-to DIRECTORY
, which automatically removes all groups the user is in. The exception is the user's private group, which cannot be deleted until the user is removed. The userdel
command has the option to --remove
the home directory or, in case the user has files elsewhere in the system, to --remove-all-files
. By contrast, userdel
has only the options to --force
(-f
) deletion or --remove
to delete the user's home directory.
Usermod and Groupmod
The usermod
and groupmod
commands are for editing users and groups after they are created. Many of the usermod
options mirror those of useradd
, including --shell SHELL
(-s
), --uid UID
(-u
), --expiredate DATE
, and --inactive DAYS
(-f
).
To this set of commands, usermod
adds --login NAME
(-l
), which can only be changed when the user is not logged in, and --password PASSWORD
(-p
).
Other options change the groups to which the account belongs. With --gid GROUP
(-g
), the root user can change the initial group name or GID for an account. Group membership is modified by GROUPS
(-G
), in preference to editing /etc/group
in a text editor, which does not update /etc/gshadow
. The groups are specified in a comma-separated list with no whitespace.
An especially useful option for usermod
is --lock
(-L
), which prevents anyone from using the account to log in. The lock is represented by adding an exclamation mark (!
) at the start of the password. The lock is applied with no warning or confirmation message and can be removed with --unlock
(-U
). As you might expect, neither can used together or with --password
(-p
), although changing the password would be just as effective in preventing the account from being used.
The groupmod
command has far fewer options than usermod
, possibly because it can potentially have farther-reaching effects – in fact, on systems that use sudo
rather the root account, careless use could leave you unable to do any administration. At any rate, groupmod
uses only three options: --gid
to change the GID, -n
to change the group name, and --password
(-p
) to add or change the group password – an option that may be useful on a large system but often not the average home setup.
Other Administration Commands
Several other commands for both users and groups also exist. For example, groups USER
lists the different groups to which the specified user belong. The same information can be obtained from id USER
. At one time, the users
command could be used to see user activity listed in the logs. However, because the logs are binary now that Systemd is used in most major distributions, you need to use journalctl
to read them or obtain some of the same information with a combination of finger
and who
instead.
On systems that use shadow files to help conceal passwords, you can use a set of four commands to set up and edit the system, making sure that key files are in sync.
--pwconv
creates/etc/shadow from /etc/passwd
.--pwunconv
creates/etc/passwd
from/etc/passwd
and/etc/shadow
, then removesshadow
.--grpconv
creates/etc/gshadow
from/etc/group
.--grpunconv
creates/etc/group
frometc/group
andetc/gshadow
, then removesgshadow
.
On larger systems, where user accounts are created and deleted regularly, these commands can help avoid possible problems.
A somewhat safer alternative for syncing files is grpck
. This command edits /etc/group
and /etc/gshadow
, the file that helps hide group information on some systems (Figure 3). To be specific, grpck
checks the validity and uniqueness of each group's name, GID, and members, as well as looking for matching entries in /etc/gshadow
and removing duplications or obsolete or corrupted information.

With the addition of the --read-only
(-r
) option, grpck
lists entries that need correcting without making any changes – an option that should be run first to avoid any problems. The command can also use --sort
(-s
) to arrange information alphabetically, instead of adding newer entries at the bottom of the list.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
Armbian 23.05 is Now Available
Based on Debian 12, the latest version of the ARM/RISC-V distribution is now available to download and install.
-
Linux Mint Finally Receiving Support for Gestures
If you use the Linux Mint Cinnamon desktop, you'll be thrilled to know that 21.2 is getting support for gestures on touchscreen devices and touchpads.
-
An All-Snap Version of Ubuntu is In The Works
Along with the standard deb version of the open-source operating system, Canonical will release an-all snap version.
-
Mageia 9 Beta 2 Ready for Testing
The latest beta of the popular Mageia distribution now includes the latest kernel and plenty of updated applications.
-
KDE Plasma 6 Looks to Bring Basic HDR Support
The KWin piece of KDE Plasma now has HDR support and color management geared for the 6.0 release.
-
Bodhi Linux 7.0 Beta Ready for Testing
The latest iteration of the Bohdi Linux distribution is now available for those who want to experience what's in store and for testing purposes.
-
Changes Coming to Ubuntu PPA Usage
The way you manage Personal Package Archives will be changing with the release of Ubuntu 23.10.
-
AlmaLinux 9.2 Now Available for Download
AlmaLinux has been released and provides a free alternative to upstream Red Hat Enterprise Linux.
-
An Immutable Version of Fedora Is Under Consideration
For anyone who's a fan of using immutable versions of Linux, the Fedora team is currently considering adding a new spin called Fedora Onyx.
-
New Release of Br OS Includes ChatGPT Integration
Br OS 23.04 is now available and is geared specifically toward web content creation.