User management from the command line

This is a short article about the most common practices in user and group management from the command line. The information is specific to Fedora Core and Red Hat based distros, but would do for any distribution probably with slight differences in the command options.

Although Fedora comes with an excellent graphical tool to manage your users (system-config-users), there are times, for example when administering a server through SSH, that user management has to be done from command line.

All operations can be done using the following commands:
id, useradd, usermod, userdel, groupadd, groupdel, groupmod, passwd

These exist in every Linux distribution with slight differences in each command’s supported options. The following info applies to Fedora Core and other Red Had based distros.

User info

The id command prints information for a certain user. Use it like this:

# id username

Create a user

To create a new user:

# useradd -c "My Example User" username
# passwd username

The created user is initially in an inactive state. To activate the user you have to assign a password with passwd. Some useful useradd options include the following:
-c : sets a comment for the user.
-s : is used in order to define the user’s default login shell. If not used, then the system’s default shell becomes the user’s default login shell.
-r : creates a user with UID<500 (system account)
-d : sets the user’s home directory. If not used, the default home directory is created (/home/username/)
-M : the home directory is not created. This is useful when the directory already exists.

To create a user that does not have the ability to login to a shell, issue the following commands:

# useradd -c "This user cannot login to a shell" -s /sbin/nologin username
# passwd username

Change the user’s password

To change a user’s password:

# passwd username

If it’s used without specifying a username, then the currently logged in user’s password is changed.

Add a user to a group

Usermod is used to modify a user account’s settings. Check the man page for all the available options. One useful use of this command is to add a user to a group:

# usermod -a -G group1 username

The -a option is critical. The user is added to group1 while he continues to be a member of other groups. If it’s not used, then the user is added only to group1 and removed from any other groups. So, take note!

Remove a user from a group

Removing a user from a group is a bit trickier. Unfortunately, there is no direct command, at least not in Fedora or RHEL, that can do that from command line. At first you need to get a list of groups that your user is a member of:

# id -nG username
group1 group2 group3 ....

Then you need to put all these groups as a comma-separated list to the usermod -G option, except for the group from which you want the user to be removed. So, to remove the user from group2, issue the command:

# usermod -G group1,group3,... username

Lock and Unlock user accounts

Other common usermod uses are to lock and unlock user accounts. To lock out a user:

# usermod -L username

To unlock the user:

# usermod -U username

Delete a user

Userdel is used to delete a user account. If the -r option is used then the user’s home directory and mail spool are deleted too:

# userdel -r username

Create a new group

To create a new group, issue the command:

# groupadd groupname

The -r option can be used to create a group with GID<500 (system).

Change a group’s name

Groupmod can be used to change a group name:

# groupmod -n newgroupname groupname

Delete a group

Groupdel can delete a group:

# groupdel groupname

In order to delete a user’s primary group (usually this is the group with name equal to the username) the respective user must be deleted previously.

You can find more info in the man pages, but these will do in most cases.

User management from the command line by George Notaras is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright © 2005 - Some Rights Reserved

14 responses on “User management from the command line

  1. Broeisi Permalink →

    usermod doesn’t have an -a option in linux.
    When Issue usermod -a -G group1 user you get an error:

    kitana ~ # usermod -a -G floppy broeisi
    usermod: invalid option — a
    Usage: usermod [-u uid [-o]] [-g group] [-G group,…]
    [-d home [-m]] [-s shell] [-c comment] [-l new_name]
    [-f inactive] [-e expire] [-p passwd] [-L|-U] name

    Take note of that.

  2. George Notaras Post authorPermalink →

    Hi, what distribution do you use? As I have written in this small tutorial:

    These exist in every Linux distribution with slight differences in each command’s supported options. The following info applies to Fedora Core and other Red Had based distros.

    Maybe the -a option is Red Hat specific.
    Differences do exists between distributions. For example, usermod in SUSE Linux has an option to remove a user from a certain group. Contrariwise, the direct removal of a user from a group is not possible in Red Hat based distros. Debian has its own tricks, but I am not too experienced with it.
    Probably there are more differences than the ones you or I have mentioned.

  3. Broeisi Permalink →

    I use Gentoo…

    didn’t know that there were differences between the distros.
    Typically Linux distro….. pffttt…

    But I guess that gpasswd has the same option on all distros..but maybe I’m wrong here too.

  4. Paul Permalink →

    I get the same no -a option error when attempting this on Fedora Core 3 distro.

    Any ideas what I should do instead?

    Regards,

    Paul

  5. Paul Permalink →

    answered my own question.
    omitting the -a just meant that the user was added to the new group. It didn’t delete me from my home group.

    so doing usermod -G psb svn

    left me as a member of psb and svn groups. Not just psb as previously.

  6. George Notaras Post authorPermalink →

    This is very interesting. I don’t have a Fedora 3 installation handy, but I will try to investigate the “-a” switch issue and modify this document accordingly.
    Thanks for your feedback.

  7. Sarkis Karagozian Permalink →

    As a beginner to Linux, I learned a lot from these commands, comments.
    One comment I have:
    Before adding a user to a group, we need to add/create a the group [group1]
    in the example. i.e:

    # groupadd group1 (then add username to group)
    # usermod -G group1 username

    Thanks

  8. George Notaras Post authorPermalink →

    Exactly. First we create the group and then we add the user to it.

    But, take a note that on a Red Hat/Fedora system, there is the -a switch which is actually required to be used in such an occasion. If -a is not included in usermod (like it happens in your usermod command), then the user will be removed from all groups and it will be added to the group1 group only. This is how it works on these systems. So, it should be:

    # groupadd group1
    # usermod -a -G group1 username
    

    From the usermod man page on fedora 6 about the -G switch:

    If the user is currently a member of a group which is not listed, the user will be removed from the group. This behaviour can be changed via -a option, which appends user to the current supplementary group list.

    Please refer to your distribution’s usermod man page, so to know exactly if a -a switch is supported or if there is another switch that should be used when adding a user to a group.

  9. Zarquan Permalink →

    If your user accounts are in a LDAP server, you can’t use usermod to add them to a local group.

    [root@localhost ~]# usermod -a -G localgroup Frog
    usermod: Frog not found in /etc/passwd

    Hand editing the /etc/group file and adding the username seems to work.

  10. vijay Permalink →

    Hi,
    what is the command to list all the users in system.

  11. George Notaras Post authorPermalink →

    Hi, actually you should decide which users you would like to list. System accounts or normal users? Users with a home directory or with the ability to use a shell or just print all of them? There is no such command. The users are kept in the /etc/passwd file.

    Also, in order to list all the currently logged-in users you issue any of the following commands:

    users

    or (this displays more info):

    w

    I hope these help.

  12. chenna Permalink →

    how to lock entire group users using a single line command

    1. George Notaras Post authorPermalink →

      Unfortunately it’s not possible to lock all the members of a group. As a workaround, I’d suggest looping through the group members and calling the usermod -L ... for each user.

  13. Nikesh Permalink →

    to remove a user from a particular group .. you can use gpasswd command
    look for man gpasswd