Master Linux User and Group Management: Commands, Files, and Best Practices

1. User and Group Configuration Files

Linux stores account information in plain‑text files under /etc. The main files are: /etc/passwd – one line per user, fields separated by colons. The fields are:

login_name:password_placeholder:UID:GID:GECOS:home_directory:shell

. The password field contains x because the real encrypted passwords are kept in /etc/shadow. /etc/shadow – readable only by root. Each line contains

login_name:encrypted_password:last_change:min:max:warn:inactive:expire:reserved

. Passwords are stored using MD5‑based crypt (or stronger algorithms). /etc/group – defines groups. Fields: group_name:password_placeholder:GID:user_list where user_list is a comma‑separated list of members. /etc/gshadow – stores encrypted group passwords, readable only by root.

System accounts created during installation typically have /sbin/nologin as their shell, preventing interactive logins.

To restrict a user’s ability to log in, change the shell field in /etc/passwd: /sbin/nologin – completely disables login. /bin/true – allows services such as FTP but blocks telnet. /bin/false – disables both telnet and FTP.

If /bin/true or /bin/false are not listed in /etc/shells, add them:

echo "/bin/false" >> /etc/shells
echo "/bin/true"  >> /etc/shells

2. Adding Users

Use useradd to create a new account. Basic syntax: useradd [options] username Common options: -c comment – add a description. -d home_dir – specify a custom home directory. -m – create the home directory if it does not exist. -M – do not create a home directory. -e YYYY-MM-DD – set account expiration date. -f days – number of days after expiration before the account is disabled. -g primary_group – assign an existing primary group. -G supplementary_groups – comma‑separated list of additional groups. -n – do not create a private group with the same name as the user. -s shell – login shell (default /bin/bash). -r – create a system account (UID < 500) without a home directory. -u UID – specify a numeric user ID (must be unique and > 499 for regular users). -p encrypted_pass – set the password hash directly (rarely used; passwd is preferred).

Example – create user nisj in group babyfish :

# useradd -g babyfish nisj
# id nisj
uid=502(nisj) gid=500(babyfish) groups=500(babyfish)
# tail -1 /etc/passwd
nisj:x:502:500::/home/nisj:/bin/bash

If the -g option is omitted, useradd creates a private group with the same name as the user. Use -n to suppress this behavior.

Example – create user vodup with home in /var and a non‑login shell:

# useradd -d /var/vodup -s /sbin/nologin vodup
# id vodup
uid=504(vodup) gid=504(vodup) groups=504(vodup)
# tail -1 /etc/passwd
vodup:x:504:504::/var/vodup:/sbin/nologin
# tail -1 /etc/group
vodup:x:504:

3. Modifying Existing Accounts

Use usermod to change attributes of an existing user. usermod [options] username Key options: -l new_name – rename the login name. -d new_home – change the home directory (does not move files automatically). -m – move the current home directory to the new location when used with -d. -g new_primary_group – change the primary group. -G supplementary_groups – set the list of secondary groups (use -a -G to append instead of replace). -s new_shell – change the login shell. -L – lock the account (adds ! to the password field in /etc/shadow). -U – unlock the account.

Rename a user:

# usermod -l nsj0820 nsj820
# id nsj0820
uid=503(nsj0820) gid=503(nsj820) groups=503(nsj820)

After renaming, the home directory remains unchanged. To rename the directory as well:

# usermod -d /home/nsj0820 nsj0820
# mv /home/nsj820 /home/nsj0820

Lock and unlock a user:

# usermod -L nsj0820   # lock
# tail -1 /etc/shadow
nsj0820:!$1$JEW25RtU$X9kIdwJi/HPzSKMVe3EK30:...

# usermod -U nsj0820   # unlock
# tail -1 /etc/shadow
nsj0820:$1$JEW25RtU$X9kIdwJi/HPzSKMVe3EK30:...

4. Deleting Users

Remove an account with userdel: userdel [-r] username The optional -r flag also removes the user’s home directory and mail spool.

5. Managing Passwords

Set or change a password with passwd: passwd [username] Only root can change another user’s password; ordinary users can change their own without specifying a name.

Lock or unlock a password (different from locking the account) using:

passwd -l username   # lock password
passwd -u username   # unlock password

Check password status with: passwd -S username Delete a password (account becomes unusable until a new password is set) with:

passwd -d username

6. Creating and Managing Groups

Create a group with groupadd: groupadd [-r] group_name The -r flag creates a system group (GID < 500). Omit it for a regular group (GID ≥ 500).

Modify a group with groupmod:

groupmod -n new_name old_name   # rename
groupmod -g new_gid group_name   # change GID

Renaming does not affect the GID; changing the GID must avoid collisions with existing groups.

Delete a group with groupdel: groupdel group_name A group cannot be removed if it is the primary group of an existing user; the user must be deleted or reassigned first.

7. Adding and Removing Users from Groups

Use gpasswd to manage group membership: gpasswd -a user group – add user to group. gpasswd -d user group – remove user from group.

Alternatively, usermod can modify secondary groups. To append without overwriting existing groups, use the -a (append) flag together with -G: usermod -a -G groupA user Omitting -a replaces the entire secondary‑group list.

8. Assigning Group Administrators

Designate a user as a group administrator with: gpasswd -A admin_user group_name The administrator can add or remove members of that specific group but cannot manage other groups.

9. Miscellaneous User‑Related Commands

id

– display UID, GID, and all group IDs of the current (or specified) user. whoami – print the effective username. groups – list the groups a user belongs to.

Graphical tools (e.g., System → Administration → Users and Groups) provide a GUI alternative for the same operations.