Master Linux User and Group Management: Commands, Files, and Best Practices

1. User and Group Files

In Linux, user accounts, passwords, group information, and group passwords are kept in separate configuration files. The /etc/passwd file stores user account details (except passwords), while encrypted passwords reside in /etc/shadow, which is readable only by the root user.

Each line in /etc/passwd defines a user; fields are separated by colons (":"). The password field contains an x placeholder because the real password is in /etc/shadow. System‑created accounts typically have /sbin/nologin as their shell, preventing interactive login.

To disable login for a user, set the shell to /sbin/nologin, /bin/true, or /bin/false. If /etc/shells lacks these entries, add them manually:

echo "/bin/false" >> /etc/shells
echo "/bin/true" >> /etc/shells

2. Password File

The /etc/shadow file stores real passwords encrypted with MD5 (or stronger algorithms). Only root can read this file. Its format mirrors /etc/passwd: the first field is the username, the second field is the encrypted password.

3. Group Files

Group information is kept in /etc/group, readable by all users. The corresponding encrypted group passwords are in /etc/gshadow, readable only by root. In /etc/group, the fields are: group name, placeholder x, GID, and a comma‑separated list of member usernames.

4. Adding Users

Use useradd to create a new account: useradd [option] username Common options include: -c comment -d home directory -m create home directory if it does not exist -M do not create home directory -e account expiration date (MM/DD/YY) -f days after expiration before disabling -g primary group -G supplementary groups (comma‑separated) -n do not create a private group -s login shell (default /bin/bash) -r create a system account (UID < 500) -u specify UID (must be unique and > 499) -p set an MD5‑hashed password (rarely used; prefer passwd later)

Example – create user nisj in group babyfish:

# useradd -g babyfish nisj
# id nisj
uid=502(nisj) gid=500(babyfish) groups=500(babyfish)
# tail -1 /etc/passwd
nisj:x:502:500::/home/nisj:/bin/bash

If no -g is given, a private group with the same name as the user is created automatically. Use -n to suppress this behavior.

5. Modifying User Attributes

Use usermod to change existing accounts: usermod [option] username Key options: -l change login name -d change home directory -L lock account (adds ! to the password field in /etc/shadow) -U unlock account

Example – rename nsj820 to nsj0820 and move its home directory:

# usermod -l nsj0820 nsj820
# usermod -d /home/nsj0820 nsj0820
# mv /home/nsj820 /home/nsj0820

6. Deleting Users

Remove an account with userdel: userdel [-r] username The -r flag also deletes the user's home directory.

7. Managing Passwords

Set or change a password with passwd: passwd [username] Only root can set another user's password; regular users can change their own without specifying a username.

Lock or unlock a password:

passwd -l username   # lock
passwd -u username   # unlock

Check password status: passwd -S username Delete a password (account becomes unusable until a new password is set):

passwd -d username

8. Creating Groups

Use groupadd to create a new group: groupadd [-r] groupname The -r option creates a system group with GID < 500; otherwise the GID is ≥ 500.

9. Modifying Group Attributes

Rename a group with groupmod -n: groupmod -n newname oldname Change a group's GID with groupmod -g (must be unique):

groupmod -g newGID groupname

10. Deleting Groups

Remove a group with groupdel: groupdel groupname A group that is the primary group of an existing user cannot be deleted; the user must be removed or reassigned first.

11. Adding and Removing Users from Groups

Use gpasswd to manage group membership:

gpasswd -a username groupname   # add
gpasswd -d username groupname   # remove

Example – add nisj to group student and then remove:

# gpasswd -a nisj student
# gpasswd -d nisj student

12. Setting Group Administrators

Assign a user as a group administrator with: gpasswd -A username groupname Group admins can add or remove members from their own groups but cannot manage other groups.

13. Miscellaneous Commands

Useful utilities for inspecting accounts: id – display UID, GID, and group list whoami – show the current username groups – list groups a user belongs to

Graphical user and group management is also available via the system's GUI (System → Administration → Users and Groups).