Complete Guide to Linux User and Group Management for Absolute Beginners

Introduction

User and group management is a fundamental aspect of Linux system administration. Whether you're setting up a multi-user system, managing permissions, or implementing security policies, understanding how to create, modify, and delete users and groups is essential.

In this comprehensive guide, you'll learn:

How to create and configure user accounts with useradd
Setting and managing user passwords with passwd
Modifying user properties with usermod
Creating and managing groups with groupadd and gpasswd
Implementing password aging policies with chage
Understanding the /etc/passwd file structure
Safely removing users and groups with userdel and groupdel

💡

Prerequisites: You'll need sudo or root privileges to perform most user and group management tasks. All examples use Red Hat-based systems (RHEL, CentOS, Fedora).

Understanding User Management Basics

Linux is a multi-user operating system, meaning multiple people can use the same computer simultaneously. Each user has:

Unique User ID (UID): A numerical identifier
Primary Group: Every user belongs to at least one group
Home Directory: Personal workspace for files
Login Shell: The command interpreter they use
Password: Encrypted authentication credential

Installing shadow-utils Package

Before working with user management commands, ensure the shadow-utils package is installed. This package provides the core utilities for managing users and groups.

sudo dnf install -y shadow-utils

Command Breakdown:

sudo: Execute command with superuser privileges
dnf install: DNF package manager's install subcommand
-y: Automatically answer "yes" to prompts
shadow-utils: Package containing user/group management tools

Typical Output:

Last metadata expiration check: 1:41:34 ago on Mon 06 Oct 2025 04:31:31 PM PKT.
Package shadow-utils-2:4.9-15.el9.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

Output Explanation:

Metadata expiration check: Shows when DNF last refreshed its package database
Already installed: The package version (2:4.9-15.el9.x86_64) is present
- 2: = epoch (package versioning mechanism)
- 4.9-15 = version and release number
- el9 = Enterprise Linux 9 (RHEL/CentOS 9)
- x86_64 = 64-bit architecture
Dependencies resolved: No additional packages needed
Complete: Operation finished successfully

Creating Users with useradd

The useradd command creates new user accounts. Let's create a user named labuser1:

Initial Attempt Without sudo

useradd -m -s /bin/bash labuser1

Output:

useradd: Permission denied.
useradd: cannot lock /etc/passwd; try again later.

Why This Failed:

User management requires modifying system files like /etc/passwd and /etc/shadow
These files can only be modified by root/sudo users
The system locks /etc/passwd during modifications to prevent corruption
Without proper privileges, you cannot acquire this lock

Correct Command with sudo

sudo useradd -m -s /bin/bash labuser1

Command Options Explained:

sudo: Run with superuser privileges
useradd: Command to create new user
-m: Create home directory (at /home/labuser1)
-s /bin/bash: Set login shell to Bash
labuser1: Username to create

Output:

useradd: warning: the home directory /home/labuser1 already exists.
useradd: Not copying any file from skel directory into it.
Creating mailbox file: File exists

Output Explanation:

Warning about home directory: /home/labuser1 existed from a previous creation
Skel directory: Usually /etc/skel contains template files (.bashrc, .profile) copied to new user homes
Mailbox file exists: Email spool file already present at /var/spool/mail/labuser1

💡

When creating a fresh user, you won't see these warnings. The home directory will be created with default configuration files from /etc/skel.

Setting User Passwords with passwd

After creating a user, they need a password to log in:

sudo passwd labuser1

Interactive Process:

Changing password for user labuser1.
New password: [typed but hidden]
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: [typed but hidden]
passwd: all authentication tokens updated successfully.

What Happens Here:

Changing password for user labuser1: Identifies which account is being modified
New password: Prompts for password input (characters don't display for security)
BAD PASSWORD warning: System detected a weak password but allows it when using sudo
- Regular users would be forced to choose a stronger password
- Root/sudo can override password quality checks
Retype new password: Confirms you typed it correctly
Authentication tokens updated: Password hash stored in /etc/shadow

⚠️

Security Best Practice: Always use strong passwords with:

Minimum 12 characters
Mix of uppercase and lowercase letters
Numbers and special characters
No dictionary words or personal information

Verifying User Information with id

The id command displays user identity information:

id labuser1

Output:

uid=1002(labuser1) gid=1002(labuser1) groups=1002(labuser1)

Output Breakdown:

Field	Value	Meaning
`uid`	1002(labuser1)	User ID number is 1002, username is labuser1
`gid`	1002(labuser1)	Primary group ID is 1002, group name is labuser1
`groups`	1002(labuser1)	Member of group 1002 (labuser1) - only the primary group so far

Key Points:

By default, useradd creates a private group with the same name as the user
UID and GID typically start at 1000 for regular users (system users use lower numbers)
The user currently belongs to only one group (their primary group)

Modifying User Properties with usermod

The usermod command changes existing user account attributes.

sudo usermod -s /bin/zsh labuser1

Output:

usermod: Warning: missing or non-executable shell '/bin/zsh'

Why This Warning Appeared:

The shell /bin/zsh is not installed on this system
Linux will allow you to set it, but the user won't be able to log in properly
Always verify the shell exists before setting it

Correcting with a Valid Shell:

sudo usermod -s /bin/sh labuser1

No output means success. The shell has been changed to /bin/sh (Bourne Shell).

Common Shells:

/bin/bash - Bourne Again Shell (most common)
/bin/sh - Bourne Shell (POSIX-compatible)
/bin/zsh - Z Shell (requires installation)
/bin/fish - Friendly Interactive Shell (requires installation)

Adding a User Comment/Description

sudo usermod -c "Lab user 1" labuser1

Command Options:

-c: Set the GECOS/comment field (user's full name or description)
"Lab user 1": Descriptive text (quoted because it contains spaces)

This information appears in /etc/passwd and can be displayed by commands like finger or chfn.

Understanding /etc/passwd File

The /etc/passwd file stores user account information. Let's examine our user's entry:

grep labuser1 /etc/passwd

Output:

labuser1:x:1002:1002:Lab user 1:/home/labuser1:/bin/sh

Field Structure:

Position	Value	Field Name	Description
1	`labuser1`	Username	Login name
2	`x`	Password	Password stored in /etc/shadow (x means shadowed)
3	`1002`	UID	User ID number
4	`1002`	GID	Primary group ID number
5	`Lab user 1`	GECOS	Comment/description field
6	`/home/labuser1`	Home Directory	User's home directory path
7	`/bin/sh`	Shell	Login shell program

Each field is separated by a colon (:). This format is easy to parse with scripts and commands.

Creating and Managing Groups

Groups are used to organize users and control access to files and resources.

Creating a New Group

sudo groupadd labgroup

No output means the group was created successfully. Groups are stored in /etc/group.

What This Does:

Creates a new group named "labgroup"
Assigns it a unique GID (Group ID)
Adds an entry to /etc/group

Adding Users to Groups

sudo usermod -aG labgroup labuser1

Command Options:

-a: Append to group (IMPORTANT: without this, user is removed from other groups)
-G: Specify supplementary groups
labgroup: The group to add the user to

⚠️

Critical Warning: Always use -aG together. Using -G alone without -a will remove the user from all other supplementary groups!

Verifying Group Membership

groups labuser1

Output:

labuser1 : labuser1 labgroup

Output Explanation:

labuser1: The username being queried
labuser1: Primary group (listed first)
labgroup: Supplementary group

Advanced Group Management with gpasswd

The gpasswd command provides advanced group administration features.

Setting a Group Administrator

sudo gpasswd -A labuser1 labgroup

What This Does:

-A: Designate group administrators
labuser1: User who becomes group admin
labgroup: Group being administered

Group Administrator Privileges:

Can add/remove members from the group
Can set the group password
Cannot delete the group itself

Adding Members to a Group

sudo gpasswd -a labuser2 labgroup

Initial Attempt Output:

gpasswd: user 'labuser2' does not exist

Why It Failed:

The user labuser2 hasn't been created yet
You must create users before adding them to groups

Creating labuser2:

sudo useradd -m -s /bin/bash labuser2

Now Adding to Group:

sudo gpasswd -a labuser2 labgroup

Output:

Adding user labuser2 to group labgroup

Command Options:

-a: Add user to group (lowercase 'a' for add)
labuser2: Username to add
labgroup: Target group

💡

gpasswd vs usermod: Both can add users to groups. Use gpasswd -a for single group additions and usermod -aG when adding to multiple groups simultaneously.

Managing Password Aging with chage

The chage command controls password expiration policies, critical for security compliance.

Setting Password Aging Policies

sudo chage -M 90 -m 7 -W 14 labuser1

Command Options Explained:

Option	Value	Meaning
`-M`	90	Maximum days password is valid (expires after 90 days)
`-m`	7	Minimum days before password can be changed again
`-W`	14	Warning days before password expires (alert user 14 days early)

What This Policy Does:

User must change password every 90 days
After changing password, must wait 7 days before changing again (prevents rapid cycling)
User gets warnings starting 14 days before expiration

Viewing Password Aging Information

sudo chage -l labuser1

Output:

Last password change					: Oct 06, 2025
Password expires					: Jan 04, 2026
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 7
Maximum number of days between password change		: 90
Number of days of warning before password expires	: 14

Field Explanations:

Field	Value	Meaning
Last password change	Oct 06, 2025	When password was last set/changed
Password expires	Jan 04, 2026	90 days from last change (Oct 6 + 90 days)
Password inactive	never	Account won't auto-disable after password expires
Account expires	never	Account has no expiration date
Minimum days	7	Must wait 7 days between password changes
Maximum days	90	Password valid for maximum 90 days
Warning days	14	User warned 14 days before expiration

💡

Security Compliance: Many organizations require password rotation (30-90 days) and minimum age policies (1-7 days) to meet standards like PCI-DSS, HIPAA, or SOC 2.

Removing Users and Groups

Deleting a User (Keep Home Directory)

sudo userdel labuser1

What This Does:

Removes user entry from /etc/passwd, /etc/shadow, and /etc/group
Does NOT remove home directory or mail spool
User's files remain owned by the UID (shown as number instead of username)

When to Use:

Temporarily disabling account while preserving data
Need to audit user's files before deletion

Deleting a User (Remove Everything)

sudo userdel -r labuser2

Command Options:

-r: Remove home directory and mail spool

What Gets Deleted:

User account entry from all system files
/home/labuser2 directory and all contents
/var/spool/mail/labuser2 mailbox
Any cron jobs owned by the user

⚠️

Warning: The -r option is destructive and irreversible. Always backup important data before using it. Files outside the home directory owned by this user will remain but show as owned by the UID number.

Deleting a Group

sudo groupdel labgroup

What This Does:

Removes group entry from /etc/group
Cannot delete if it's a user's primary group
Supplementary group memberships are removed from all users

Error Prevention:

First ensure no users have this as their primary group
Check with: grep :labgroup: /etc/group or getent group labgroup

Viewing All System Users

To see all usernames on the system:

cut -d: -f1 /etc/passwd

Command Breakdown:

cut: Extract specific fields from each line
-d:: Use colon as the field delimiter
-f1: Extract field 1 (username)
/etc/passwd: Input file

Partial Output:

root
bin
daemon
adm
lp
sync
shutdown
halt
mail
operator
games
ftp
nobody
systemd-coredump
dbus
polkitd
...
centos9
stapunpriv
pesign
vboxadd
labuser
apache

User Types Shown:

System users (root, bin, daemon, mail): UID < 1000, run system services
Service users (systemd-coredump, dbus, polkitd): Run specific daemons
Regular users (centos9, labuser, apache): UID ≥ 1000, actual login accounts

Best Practices for User and Group Management

Security Best Practices

Use Strong Password Policies
- Enforce minimum password length (12+ characters)
- Require complexity (uppercase, lowercase, numbers, symbols)
- Implement password aging with chage
- Set maximum password age: 30-90 days
Principle of Least Privilege
- Grant users only necessary permissions
- Use groups to manage permissions collectively
- Avoid giving unnecessary sudo access
- Regular audit user permissions
Account Hygiene
- Remove or disable unused accounts promptly
- Use usermod -L to lock accounts instead of deleting immediately
- Monitor last login times: lastlog
- Regular review of /etc/passwd and /etc/group
Group Management
- Create role-based groups (developers, admins, operators)
- Use descriptive group names
- Document group purposes
- Avoid adding users directly to system groups

Operational Best Practices

Documentation
- Maintain list of user accounts and their purposes
- Document group memberships and permissions
- Note any special configurations or exceptions
- Keep password policy documentation current
Automation and Standardization
- Use consistent UID/GID ranges
- Script user creation for consistency
- Set default password policies in /etc/login.defs
- Use configuration management tools (Ansible, Puppet)
Backup and Audit
- Back up /etc/passwd, /etc/shadow, /etc/group regularly
- Enable auditing for user management commands
- Review logs in /var/log/secure or /var/log/auth.log
- Track who creates/modifies user accounts
Naming Conventions
- Use consistent username formats (firstname.lastname, flastname)
- Avoid special characters in usernames
- Use lowercase for consistency
- Reserve certain prefixes for service accounts (srv-, app-)

Common Pitfalls to Avoid

Don't use usermod -G without -a (removes other groups)
Don't delete users while they're logged in
Don't modify /etc/passwd directly (use commands instead)
Don't share accounts between multiple people
Don't forget to set passwords for new accounts
Don't reuse UIDs of deleted users immediately

Command Cheat Sheet

User Management Commands

Command	Purpose	Example
`useradd`	Create new user account	`sudo useradd -m -s /bin/bash john`
`passwd`	Set/change user password	`sudo passwd john`
`usermod`	Modify user account	`sudo usermod -aG wheel john`
`userdel`	Delete user account	`sudo userdel -r john`
`id`	Display user ID and groups	`id john`
`chage`	Manage password aging	`sudo chage -l john`
`whoami`	Display current username	`whoami`
`who`	Show logged-in users	`who`
`w`	Show who is logged in and what they're doing	`w`
`lastlog`	Show last login times	`lastlog`

Group Management Commands

Command	Purpose	Example
`groupadd`	Create new group	`sudo groupadd developers`
`groupdel`	Delete group	`sudo groupdel developers`
`gpasswd -a`	Add user to group	`sudo gpasswd -a john developers`
`gpasswd -d`	Remove user from group	`sudo gpasswd -d john developers`
`gpasswd -A`	Set group administrators	`sudo gpasswd -A john developers`
`groups`	Show user's groups	`groups john`
`getent group`	Display group information	`getent group developers`

useradd Common Options

Option	Description	Example
`-m`	Create home directory	`useradd -m john`
`-s`	Set login shell	`useradd -s /bin/bash john`
`-d`	Specify home directory	`useradd -d /custom/home john`
`-c`	Add comment/description	`useradd -c "John Doe" john`
`-u`	Specify UID	`useradd -u 1500 john`
`-g`	Set primary group	`useradd -g developers john`
`-G`	Add to supplementary groups	`useradd -G wheel,docker john`
`-e`	Set account expiration date	`useradd -e 2026-12-31 john`

usermod Common Options

Option	Description	Example
`-aG`	Append to supplementary groups	`usermod -aG docker john`
`-s`	Change login shell	`usermod -s /bin/zsh john`
`-c`	Change comment	`usermod -c "Jane Doe" john`
`-d`	Change home directory	`usermod -d /new/home john`
`-L`	Lock account (disable login)	`usermod -L john`
`-U`	Unlock account	`usermod -U john`
`-e`	Set expiration date	`usermod -e 2026-12-31 john`
`-l`	Change username	`usermod -l jane john`

chage Common Options

Option	Description	Example
`-l`	List password aging information	`chage -l john`
`-M`	Maximum password age (days)	`chage -M 90 john`
`-m`	Minimum password age (days)	`chage -m 7 john`
`-W`	Warning days before expiration	`chage -W 14 john`
`-I`	Inactive days after expiration	`chage -I 30 john`
`-E`	Account expiration date	`chage -E 2026-12-31 john`
`-d`	Last password change date	`chage -d 0 john` (force change at next login)

Summary

In this comprehensive guide, you've learned how to:

✅ Create user accounts with useradd and set up home directories and shells ✅ Set and manage passwords with passwd for user authentication ✅ Modify user properties using usermod to change shells, comments, and groups ✅ Understand the /etc/passwd file structure and its seven fields ✅ Create and manage groups with groupadd, gpasswd, and group membership ✅ Implement password aging policies with chage for security compliance ✅ Safely remove users and groups with userdel and groupdel ✅ Apply security best practices for user and group management

User and group management forms the foundation of Linux system administration and security. By mastering these commands and following best practices, you can effectively manage multi-user systems, implement proper access controls, and maintain security compliance.

What's Next?

Now that you understand user and group management, explore related topics:

File Permissions: Learn how ownership and permissions control access to files
sudo Configuration: Set up granular sudo privileges with /etc/sudoers
PAM (Pluggable Authentication Modules): Advanced authentication configuration
LDAP/Active Directory Integration: Centralized user management for enterprises
SELinux: Mandatory access controls for enhanced security

Master user management to secure your Linux systems and control access effectively!

Introduction

Understanding User Management Basics

Installing shadow-utils Package

Creating Users with useradd

Initial Attempt Without sudo

Correct Command with sudo

Setting User Passwords with passwd

Verifying User Information with id

Modifying User Properties with usermod

Changing the Login Shell

Adding a User Comment/Description

Understanding /etc/passwd File

Creating and Managing Groups

Creating a New Group

Adding Users to Groups

Verifying Group Membership

Advanced Group Management with gpasswd

Setting a Group Administrator

Adding Members to a Group

Managing Password Aging with chage

Setting Password Aging Policies

Viewing Password Aging Information

Removing Users and Groups

Deleting a User (Keep Home Directory)

Deleting a User (Remove Everything)

Deleting a Group

Viewing All System Users

Best Practices for User and Group Management

Security Best Practices

Operational Best Practices

Common Pitfalls to Avoid

Command Cheat Sheet

User Management Commands

Group Management Commands

useradd Common Options

usermod Common Options

chage Common Options

Summary

What's Next?

Written by Owais

Related Articles

Complete Guide to Linux File Permissions and Ownership for Absolute Beginners

Complete Guide to Linux systemd Service Management for Absolute Beginners

Complete Guide to Linux Process Management and Monitoring for Absolute Beginners

More Reading

Advanced Linux I/O Redirection: Error Handling and Complex Redirections (Part 2)