Master Linux User and Group Management: Commands, Files, and Best Practices

1. User and Group Files

In Linux, user accounts, passwords, group information, and group passwords are stored in separate configuration files. The /etc/passwd file contains user account details (excluding passwords), while encrypted passwords are kept in /etc/shadow, which is readable only by the root user.

Each line in /etc/passwd defines a user; fields are separated by colons (":"). The password field contains an x placeholder because the real password resides in /etc/shadow. System‑created accounts often have /sbin/nologin as their shell, indicating they cannot log in.

2. User Password File

For security, actual passwords are stored in /etc/shadow using MD5 hashing. Only root can read this file. Like /etc/passwd, each line represents a user; the first field is the username, the second field is the encrypted password.

3. User Group File

Group information is stored in /etc/group, readable by all users. The real group passwords are kept in /etc/gshadow. In /etc/group, the first field is the group name, the second is x, the third is the GID, and the fourth lists member usernames separated by commas.

4. Adding Users

Use the useradd command to create a new user: useradd [option] username Common options include: -c comment -d home directory -m create home directory if it does not exist -M do not create home directory -e account expiration date (MM/DD/YY) -f days after expiration before disabling -g primary group -G supplementary groups (comma‑separated) -n do not create a private group -s login shell (default /bin/bash) -r create a system account (UID < 500) -u specify UID (must be unique and > 499) -p set password hash (rarely used; passwd is preferred)

Example:

[root@localhost ~]# useradd -g babyfish nisj

[root@localhost ~]# id nisj

uid=502(nisj) gid=500(babyfish) groups=500(babyfish)

If no -g is given, a private group with the same name as the user is created automatically. Use -n to suppress this.

5. Modifying User Attributes

Use usermod to change existing accounts: usermod [option] username Key options:

Rename account : usermod -l newname oldname Lock account : usermod -L username (adds ! before the password hash in /etc/shadow)

Unlock account : usermod -U username Example of renaming and moving the home directory:

[root@localhost ~]# usermod -l nsj0820 nsj820

[root@localhost ~]# usermod -d /home/nsj0820 nsj0820

6. Deleting Accounts

Remove a user with userdel: userdel [-r] username The -r option also deletes the user's home directory.

7. Setting User Passwords

Use the passwd command: passwd [username] Only root can set another user's password; regular users can change only their own.

8. Locking/Unlocking Passwords and Querying Status

Lock a password with passwd -l username and unlock with passwd -u username. Check status with passwd -S username.

9. Creating Groups

Create a group with groupadd: groupadd [-r] groupname The -r flag creates a system group (GID < 500).

10. Modifying Group Attributes

Rename a group: groupmod -n newname oldname Change a group's GID:

groupmod -g newGID groupname

11. Deleting Groups

Remove a group with: groupdel groupname A group that is a private group of an existing user cannot be deleted until the user is removed or reassigned.

12. Adding/Removing Users from Groups

Add a user to a group: gpasswd -a username groupname Remove a user from a group:

gpasswd -d username groupname

13. Setting Group Administrators

Assign a user as a group administrator: gpasswd -A username groupname Group admins can add or remove members from their groups but cannot manage other groups.

14. Miscellaneous User Commands

Useful commands for inspecting user and group information include id, whoami, and groups. Graphical tools are also available via System → Administration → Users and Groups.

Note: When adding a user to a supplementary group, always use the -a (append) option with usermod -G to avoid removing the user from existing groups.