Master Linux User & Group Management: Commands, Files, and Best Practices

1. User and Group Files

In Linux, user accounts, passwords, group information, and group passwords are stored in separate configuration files. The /etc/passwd file holds user account details (except passwords), while encrypted passwords reside in /etc/shadow, readable only by root.

Each line in /etc/passwd defines a user with fields separated by ':'; the password field contains an 'x' placeholder. System accounts created during installation often have the shell set to /sbin/nologin, preventing interactive login.

To disable a user login, set the user's shell to /sbin/nologin, /bin/true, or /bin/false. If these shells are missing from /etc/shells, add them:

echo "/bin/false" >> /etc/shells
echo "/bin/true" >> /etc/shells

2. User Password File

The /etc/shadow file stores encrypted passwords (MD5 by default) and is accessible only by the root user. Its format mirrors /etc/passwd, with the second field containing the password hash.

3. Group Account File

Group information is kept in /etc/group, readable by all users; actual group passwords are stored in /etc/gshadow. Fields are: group name, placeholder (x), GID, and a comma‑separated list of members.

4. Adding Users

Use useradd [option] username. Common options include:

-c comment

-d home_directory

-m create home if missing

-M do not create home

-e expiration_date (MM/DD/YY)

-f days_until_disable

-g primary_group

-G supplementary_groups (comma‑separated)

-n do not create a private group

-s login_shell (default /bin/bash)

-r create system account (UID < 500)

-u specific UID (must be unique and > 499)

-p MD5‑hashed password (rarely used)

Example: create user nisj in group babyfish:

useradd -g babyfish nisj
id nisj
tail -1 /etc/passwd

If the -g option is omitted, a private group with the same name is created; use -n to avoid it.

Example: create user vodup with home directory /var and shell /sbin/nologin:

useradd -d /var/vodup -s /sbin/nologin vodup
id vodup
tail -1 /etc/passwd
tail -1 /etc/group

5. Modifying User Attributes

Use usermod [option] username. To rename a user: usermod -l newname oldname After renaming, the home directory remains unchanged; use -d to move it.

Lock an account with usermod -L username (adds ‘!’ in /etc/shadow); unlock with usermod -U username.

6. Deleting Users

Remove a user with userdel [-r] username. The -r flag also deletes the user's home directory.

Password expiration policies are set in /etc/login.defs (e.g., PASS_MAX_DAYS, PASS_MIN_LEN).

7. Setting User Passwords

Change a password with passwd [username]. Only root can set another user's password; regular users can change their own without specifying a name.

8. Locking/Unlocking Passwords and Querying Status

Lock a password: passwd -l username. Unlock: passwd -u username. Check status: passwd -S username. Delete a password (requires root): passwd -d username.

9. Creating Groups

Create a group with groupadd [-r] groupname. The -r option creates a system group (GID < 500); otherwise the GID is >= 500.

10. Modifying Group Attributes

Rename a group: groupmod -n newname oldname. Change GID: groupmod -g newGID groupname. Changing the GID does not affect member usernames.

11. Deleting Groups

Remove a group with groupdel groupname. A private group cannot be deleted while a user still belongs to it; delete the user first.

12. Adding/Removing Users from Groups

Add a user to a group: gpasswd -a user group. Remove a user from a group: gpasswd -d user group.

13. Setting Group Administrators

Assign a group administrator with gpasswd -A user group. The administrator can manage members of that specific group only.

14. Miscellaneous

Useful commands: id (shows UID, GID, groups), whoami (current username), groups (list groups of a user). Graphical management is also available via System → Administration → Users and Groups.