Master Linux User and Group Management: Commands, Files, and Best Practices

1. User and Group Files

Linux stores user accounts, passwords, group information, and group passwords in separate configuration files. The /etc/passwd file lists user accounts (excluding passwords), while encrypted passwords reside in /etc/shadow. Group definitions are in /etc/group, and encrypted group passwords in /etc/gshadow.

Each line in /etc/passwd represents a user and contains fields separated by colons, such as username, placeholder x for the password, UID, GID, comment, home directory, and login shell. System‑created accounts often have /sbin/nologin as the shell to prevent interactive login.

2. Password File

Passwords are stored encrypted with MD5 in /etc/shadow, which is readable only by root. The file mirrors /etc/passwd with the first field as the username and the second as the encrypted password.

3. Group Files

Group information is in /etc/group; any user can read it. The format is: group name, placeholder x, GID, and a comma‑separated list of member usernames. Encrypted group passwords are kept in /etc/gshadow.

4. Adding Users

Use useradd [options] username. Common options include: -c comment -d home directory -m create home directory -M do not create home directory -e account expiration date (MM/DD/YY) -f days after expiration before disabling -g primary group -G supplementary groups (comma‑separated) -n do not create a private group -s login shell (default /bin/bash) -r create system account (UID < 500) -u specify UID (must be unique and > 499) -p set password hash (rarely used)

Example: [root@localhost ~]# useradd -g babyfish nisj After creation, id nisj shows UID/GID and groups, and tail -1 /etc/passwd displays the entry.

5. Modifying User Attributes

Use usermod [options] username. Key operations:

Rename account: usermod -l newname oldname Change home directory: usermod -d /new/home newname Lock account: usermod -L username (adds ! to the password field in /etc/shadow)

Unlock account: usermod -U username Locking prevents login, but root can still su to the account.

6. Deleting Users

Use userdel [-r] username. The -r flag also removes the user’s home directory.

7. Setting Password Expiration

Adjust PASS_MAX_DAYS and PASS_MIN_LEN in /etc/login.defs to control password lifetime and minimum length.

8. Changing User Passwords

Root can set any user’s password with passwd username. Regular users can change only their own password by running passwd without arguments.

9. Locking/Unlocking Passwords

Use passwd -l username to lock and passwd -u username to unlock a password. Check status with passwd -S username.

10. Creating Groups

Use groupadd [-r] groupname. The -r option creates a system group (GID < 500); otherwise the GID is ≥ 500.

11. Modifying Group Attributes

Rename a group with groupmod -n newname oldname (GID unchanged). Change the GID with groupmod -g newGID groupname (must be unique).

12. Deleting Groups

Use groupdel groupname. A group cannot be deleted if it is the primary group of an existing account; remove or reassign those accounts first.

13. Adding/Removing Users from Groups

Use gpasswd -a username groupname to add and gpasswd -d username groupname to remove a user from a group.

Important note: when adding a user to additional groups, always use the -a (append) flag with usermod -G; otherwise the user will be removed from all other supplementary groups.

14. Group Administrators

Assign a group administrator with gpasswd -A adminuser groupname. The administrator can add or remove members of that specific group but cannot manage other groups.

15. Miscellaneous Commands

Useful utilities include id (display UID, GID, groups), whoami (current username), and groups (list groups for a user). Graphical tools are also available via System → Administration → Users and Groups.