Linux Administration Lesson 11 – User and Group Management | Dataplexa

Section II — User, Process & Package Management

User and Group Management

In this lesson

Creating users Managing groups Modifying accounts Deleting users safely /etc/passwd and /etc/group

User and group management is the process of creating, configuring, modifying, and removing the accounts that control who can log into a Linux system and what they are permitted to do. Every file, process, and service on Linux is owned by a user and a group — so getting account management right is the foundation of both security and operational control in any multi-user environment.

How Linux Identifies Users

Linux does not track users by their username at the kernel level — it uses a numeric User ID (UID) and Group ID (GID). The username you see in the shell is simply a human-readable label that maps to a UID stored in /etc/passwd. Understanding these IDs is essential when you encounter ownership problems or move files between systems.

Fig 1 — How usernames map to UIDs and group memberships across /etc/passwd and /etc/group

UID Ranges — Standard Convention

Range	Type	Notes
`0`	root	Superuser — full system access. Never create regular users with UID 0.
`1–99`	Static system accounts	Reserved by the OS — daemon, bin, sys. Do not assign manually.
`100–999`	Dynamic system accounts	Created by package installers for services (nginx, mysql, syslog). No login shell.
`1000+`	Regular users	Human and admin accounts. `useradd` starts here by default.

# View your current UID, GID, and all group memberships
id

# View another user's identity
id alice

# Show the passwd entry for a specific user
getent passwd alice

# List all users on the system (human-readable — filters out system accounts)
awk -F: '$3 >= 1000 && $3 < 65534 {print $1, $3}' /etc/passwd

# id
uid=1001(alice) gid=1001(alice) groups=1001(alice),27(sudo),1050(developers)

# id alice
uid=1001(alice) gid=1001(alice) groups=1001(alice),27(sudo),1050(developers)

# getent passwd alice
alice:x:1001:1001:Alice Admin:/home/alice:/bin/bash

# awk output (regular users only)
alice 1001
bob   1002

What just happened? id showed that alice belongs to three groups — her primary group alice, the sudo group (giving her privilege escalation rights), and a secondary developers group. getent passwd read the full account record showing her home directory and login shell.

Creating Users with useradd and adduser

Linux provides two commands for creating users: useradd and adduser. They are not the same. Understanding the difference prevents the common mistake of creating accounts that lack a home directory or a usable shell.

useradd — low-level, universal

Available on all distributions. Creates the account exactly as instructed — if you omit flags, you get no home directory, no password, and often no shell. Must be scripted explicitly for production use.

# Minimal — dangerous defaults
sudo useradd alice

# Full, explicit form
sudo useradd -m -s /bin/bash \
  -c "Alice Admin" alice

adduser — high-level, interactive

A Debian/Ubuntu wrapper around useradd. Prompts for a password, creates the home directory, and copies skeleton files automatically. Not available on RHEL/Rocky by default.

# Interactive — safer for manual use
sudo adduser alice
# Prompts: password, full name,
# room, phone, other

# Create a user with home directory, bash shell, and a comment (full name)
sudo useradd -m -s /bin/bash -c "Alice Admin" alice

# Set the password immediately after creation
sudo passwd alice

# Verify the account was created correctly
getent passwd alice
ls -la /home/alice/

# Create a system account (no home dir, no login shell) — for services
sudo useradd --system --no-create-home --shell /usr/sbin/nologin appservice

# Create a user and assign a primary group at creation time
sudo useradd -m -s /bin/bash -g developers alice

# Create a user with a specific UID (useful for consistent UIDs across servers)
sudo useradd -m -u 1500 -s /bin/bash alice

# getent passwd alice
alice:x:1001:1001:Alice Admin:/home/alice:/bin/bash

# ls -la /home/alice/
total 28
drwxr-xr-x 3 alice alice 4096 Mar 12 09:15 .
drwxr-xr-x 6 root  root  4096 Mar 12 09:15 ..
-rw-r--r-- 1 alice alice  220 Mar 12 09:15 .bash_logout
-rw-r--r-- 1 alice alice 3526 Mar 12 09:15 .bashrc
-rw-r--r-- 1 alice alice  807 Mar 12 09:15 .profile

What just happened? useradd -m created the home directory and copied skeleton files from /etc/skel — the standard shell config files every new user needs. The home directory is owned by alice with permissions 755, allowing others to traverse but not write.

Managing Groups

Groups are the primary mechanism for granting shared access to files, directories, and system resources. Every user has one primary group (used as the default group owner of new files) and can belong to multiple supplementary groups that grant additional access rights.

Analogy: Think of groups as keycards in an office building. Your primary group is the card that opens your own office. Supplementary groups are additional keycards — for the server room, the print room, or a shared project space. You can carry multiple keycards, but you only have one default office.

# Create a new group
sudo groupadd developers

# Create a group with a specific GID
sudo groupadd -g 1050 developers

# Add a user to a supplementary group (does NOT remove existing groups)
sudo usermod -aG developers alice
sudo usermod -aG sudo alice           # Grant sudo access

# Add a user to multiple groups at once
sudo usermod -aG developers,docker,sudo alice

# View all groups a user belongs to
groups alice

# View group membership from /etc/group
getent group developers

# List all groups on the system
getent group | sort

# Remove a user from a group
sudo gpasswd -d alice developers

# Delete a group
sudo groupdel developers

# groups alice
alice : alice sudo developers docker

# getent group developers
developers:x:1050:alice,bob,charlie

# getent group | grep -E "^(sudo|docker|developers)"
sudo:x:27:alice,bob
docker:x:999:alice
developers:x:1050:alice,bob,charlie

What just happened? The -aG flags in usermod are critical — -a means append. Omitting -a and using only -G will replace all existing supplementary groups with only the one specified — a common mistake that can instantly revoke a user's sudo access.

Modifying User Accounts with usermod

usermod is the primary command for changing existing account properties — shell, home directory, username, UID, group memberships, and account lock status.

usermod — Common Flags

Flag	Purpose	Example
`-aG`	Append supplementary groups	`usermod -aG docker alice`
`-s`	Change login shell	`usermod -s /bin/zsh alice`
`-d`	Change home directory path	`usermod -d /data/alice -m alice`
`-l`	Rename the username	`usermod -l alicesmith alice`
`-L`	Lock the account (disable login)	`usermod -L alice`
`-U`	Unlock the account	`usermod -U alice`
`-e`	Set account expiry date	`usermod -e 2025-12-31 alice`

# Lock an account when an employee leaves — preserves data, prevents login
sudo usermod -L alice

# Verify the account is locked (an ! appears before the password hash)
sudo getent shadow alice | cut -d: -f2

# Unlock the account
sudo usermod -U alice

# Change a user's login shell to zsh
sudo usermod -s /bin/zsh alice

# Disable a service account's login shell entirely
sudo usermod -s /usr/sbin/nologin serviceaccount

# Move a user's home directory and migrate existing files
sudo usermod -d /srv/homes/alice -m alice

Deleting Users Safely with userdel

Deleting a user account requires more thought than creating one. Files owned by a deleted user become orphaned — they retain the old UID but display no username. Before running userdel, decide what to do with the user's data.

Step 1 — Lock the account first

Lock before deleting so any running processes owned by the user are terminated at the next natural stop and no new logins occur during cleanup.

sudo usermod -L alice

Step 2 — Archive the home directory

Create a compressed archive before deletion. Retaining data protects the organisation from compliance and legal obligations.

sudo tar -czf /backup/alice-home-$(date +%Y%m%d).tar.gz /home/alice/

Step 3 — Find all files owned by the user

Users may have created files outside their home directory. Find them now — after deletion they become orphaned UIDs with no name.

sudo find / -user alice -ls 2>/dev/null

Step 4 — Delete the account

Use -r to remove the home directory and mail spool. Only use this after archiving the data.

sudo userdel -r alice

# Delete a user but keep their home directory (for manual review)
sudo userdel alice

# Delete a user AND remove their home directory and mail spool
sudo userdel -r alice

# After deletion — find orphaned files (owned by a UID with no matching user)
sudo find / -nouser -ls 2>/dev/null

# Reassign orphaned files to a new owner after the fact
sudo find / -nouser -exec chown newowner {} \; 2>/dev/null

The Identity Files — /etc/passwd, /etc/shadow, /etc/group

User and group information is stored in three plain text files. Knowing their structure lets you read and interpret account data directly, which is essential when debugging permission problems or auditing accounts on a system.

/etc/passwd

World-readable. Seven colon-separated fields per user:

alice : x : 1001 : 1001 : Alice Admin : /home/alice : /bin/bash
name  pw  uid   gid   comment       home          shell

The x in the password field means the actual hash is stored in /etc/shadow.

/etc/shadow

Readable only by root. Contains hashed passwords and aging fields:

alice:$6$salt$hash...:19800:0:99999:7:::
      password_hash        last  min max warn

A ! or !! prefix means the account is locked.

/etc/group

World-readable. Four colon-separated fields per group:

developers : x : 1050 : alice,bob
name        pw   gid   members

Members listed here are supplementary members — primary group membership comes from /etc/passwd.

# Read passwd fields directly — useful on systems where getent is slow
grep "^alice:" /etc/passwd

# Check if an account is locked (look for ! before the hash)
sudo grep "^alice:" /etc/shadow | cut -d: -f2 | cut -c1-3

# List all users with a valid login shell (not nologin or false)
grep -v "nologin\|false" /etc/passwd | cut -d: -f1

# Check who is in the sudo/wheel group
getent group sudo
getent group wheel

# Find all accounts with UID 0 — should only ever be root
awk -F: '($3 == 0) {print $1}' /etc/passwd

# grep "^alice:" /etc/passwd
alice:x:1001:1001:Alice Admin:/home/alice:/bin/bash

# sudo grep "^alice:" /etc/shadow | cut -d: -f2 | cut -c1-3
$6$   ← active (hash starts with $6$ = SHA-512)
!$6$  ← locked (! prefix)

# getent group sudo
sudo:x:27:alice,bob

# awk -F: '($3 == 0) {print $1}' /etc/passwd
root

What just happened? The awk command scanning for UID 0 is a quick security audit — if any account other than root appears, it means someone has created a backdoor superuser account and the system is likely compromised.

Never Use usermod -G Without the -a Flag

Running sudo usermod -G developers alice without -a will set alice's supplementary groups to only developers — silently removing her from sudo, docker, and every other group she was in. This mistake has locked administrators out of their own servers. Always use sudo usermod -aG group user.

Lesson Checklist

✔ I can explain the difference between UID, GID, primary group, and supplementary groups, and read this information from /etc/passwd and /etc/group

✔ I can create a user account correctly using useradd -m -s /bin/bash and set a password immediately with passwd

✔ I always use usermod -aG (with the -a flag) when adding a user to a group, and understand why omitting -a is dangerous

✔ I follow the safe deletion workflow — lock, archive, find orphaned files, then delete — rather than running userdel -r immediately

✔ I can audit a system for security risks — accounts with UID 0, locked accounts, orphaned files, and users with unexpected group memberships

Teacher's Note

The single most common real-world mistake with user management is usermod -G without -a — it has locked out countless administrators mid-session. Make -aG a muscle memory habit and you will never make that mistake.

Practice Questions

1. Write the complete sequence of commands to create a new user called devops with a home directory, bash shell, and membership in both the sudo and docker groups. Include the password step and verify the account afterwards.

sudo useradd -m -s /bin/bash devops → sudo passwd devops → sudo usermod -aG sudo devops → sudo usermod -aG docker devops → verify with id devops and getent passwd devops.

2. A user bob is leaving the company. Describe the four-step process for safely removing his account, explaining the purpose of each step and the specific command you would run.

Step 1 — Lock: sudo usermod -L bob (prevents new logins). Step 2 — Archive: sudo tar -czf /backup/bob-home-$(date +%Y%m%d).tar.gz /home/bob/. Step 3 — Find orphaned files: sudo find / -user bob -ls 2>/dev/null. Step 4 — Delete: sudo userdel -r bob.

3. You run sudo find / -nouser -ls 2>/dev/null and find dozens of files. What does this indicate and how did it happen? What command would you run to reassign those files to an existing user called archive?

It means a user account was deleted without reassigning their files first — the files retain the old UID but no username maps to it. This happens when userdel is run without first handling owned files. To reassign: sudo find / -nouser -exec chown archive {} \; 2>/dev/null.

Lesson Quiz

1. What is the effect of running sudo usermod -G developers alice when alice is already a member of the sudo and docker groups?

Alice is added to developers while keeping her existing group memberships Alice's supplementary groups are replaced with only developers, removing her from sudo and docker The command fails because alice already belongs to other groups Alice's primary group is changed to developers

2. Which file stores the hashed passwords for user accounts, and why is it not stored in /etc/passwd?

/etc/passwd — it has always stored password hashes directly /etc/shadow — because /etc/passwd is world-readable and exposing password hashes would allow offline cracking attacks /etc/group — passwords are stored alongside group membership data /var/lib/passwd — for security, password data is stored outside /etc

3. You run sudo useradd bob without any flags. What is likely missing from the account that would prevent bob from logging in normally?

Bob will not be assigned a UID Bob will have no home directory and no password set, and may have no valid login shell depending on the distribution defaults Bob will be created as a system account with UID below 1000 The command will fail without the -m flag on all distributions

Up Next

Lesson 12 — Password Policies and Aging

Enforcing password complexity, expiry, and account lockout policies across your Linux systems

← Previous Course Index Next →