Master Linux User and Group Management: Commands, Files, and Best Practices

1. User and Group Files

Linux stores user accounts, passwords, group information, and group passwords in separate configuration files. The primary file for user account details (excluding passwords) is /etc/passwd. Because all users can read this file, actual password hashes are kept in /etc/shadow, which is readable only by root.

Each line in /etc/passwd represents one user and consists of fields separated by colons (:). System‑created accounts (e.g., daemon, mail) typically have the last field set to /sbin/nologin, indicating they cannot log in.

2. Password File

The /etc/shadow file stores encrypted passwords using the MD5 algorithm. Only the root user can read this file. Like /etc/passwd, each line corresponds to a user; the first field is the username and the second field holds the password hash.

3. Group File

Group information is kept in /etc/group, readable by all users. The real group passwords are stored in /etc/gshadow. In /etc/group, the fields are: group name, placeholder x, GID, and a comma‑separated list of member usernames.

4. Adding Users

Use the useradd command: useradd [option] username Common options: -c comment – description for the account -d home directory – overrides the default

/home/username

-m

create the home directory if it does not exist (often combined with -r for system accounts) -M do not create a home directory -e date – account expiration date (MM/DD/YY) -f days – days after expiration before the account is disabled -g group – primary group (must exist) -G groups – supplementary groups (comma‑separated) -n do not create a private group -s shell – login shell (default /bin/bash) -r create a system account (UID < 500, no home directory by default) -u UID – specify a unique user ID (> 499) -p password – MD5‑hashed password (rarely used; passwd is preferred)

Example – create user nisj in group babyfish:

[root@localhost ~]# useradd -g babyfish nisj
[root@localhost ~]# id nisj
uid=502(nisj) gid=500(babyfish) groups=500(babyfish)
[root@localhost ~]# tail -1 /etc/passwd
nisj:x:502:500::/home/nisj:/bin/bash

5. Modifying User Attributes

Use usermod: usermod [option] username Change login name : usermod -l newname oldname Lock account : usermod -L username (adds ! before the password hash in /etc/shadow)

Unlock account : usermod -U username Example – rename nsj820 to nsj0820 and move its home directory:

[root@localhost ~]# usermod -l nsj0820 nsj820
[root@localhost ~]# usermod -d /home/nsj0820 nsj0820
[root@localhost ~]# mv /home/nsj820 /home/nsj0820

6. Deleting Users

Use userdel: userdel [-r] username The -r option also removes the user's home directory.

7. Setting User Passwords

Root can set any user's password with passwd username. Regular users can change only their own password by running passwd without arguments.

8. Locking/Unlocking Passwords and Querying Status

Lock a password: passwd -l username Unlock a password: passwd -u username Check status: passwd -S username Delete a password (disables login until a new password is set):

passwd -d username

9. Creating Groups

Use groupadd: groupadd [-r] groupname The -r flag creates a system group with GID < 500.

10. Modifying Group Attributes

Rename a group: groupmod -n newname oldname Change GID:

groupmod -g newGID groupname

11. Deleting Groups

Use groupdel: groupdel groupname A group that is a private group for an existing user cannot be deleted until the user is removed or reassigned.

12. Adding/Removing Users from Groups

Use gpasswd:

Add: gpasswd -a username groupname Remove:

gpasswd -d username groupname

13. Setting Group Administrators

Assign a group admin: gpasswd -A username groupname The admin can add or remove members of that specific group but cannot manage other groups.

14. Miscellaneous User‑Related Commands

Useful commands for inspecting user and group information: id – displays UID, GID, and group list of the current user. whoami – shows the current username. groups – lists groups a specified user belongs to.

Graphical tools are also available via the system’s “Settings → Administration → Users and Groups” interface.