How to Create and Manage Linux Users and Groups: Complete Administration Guide

Managing users and groups is a fundamental skill for Linux system administrators. This comprehensive guide covers creating, modifying, and deleting users and groups, setting permissions, managing passwords, and implementing best practices for user management on Ubuntu, Debian, RHEL, CentOS, and other distributions.

Understanding Linux User Accounts

Linux user information is stored in several key files:

User Types

• Root (UID 0) – Superuser with full system access
• System users (UID 1-999) – Service accounts for daemons
• Regular users (UID 1000+) – Normal user accounts

Creating Users

Using useradd (Low-level)

# Basic user creation
sudo useradd username

# Create user with home directory
sudo useradd -m username

# Create with specific shell
sudo useradd -m -s /bin/bash username

# Create with custom home directory
sudo useradd -m -d /home/custom/username username

# Create with specific UID
sudo useradd -m -u 1500 username

# Create with primary group
sudo useradd -m -g developers username

# Create with additional groups
sudo useradd -m -G sudo,docker,www-data username

# Create with comment (full name)
sudo useradd -m -c "John Smith" jsmith

# Create with expiration date
sudo useradd -m -e 2025-12-31 contractor1

Using adduser (Interactive – Debian/Ubuntu)

# Interactive user creation
sudo adduser username

# Non-interactive with options
sudo adduser --disabled-password --gecos "John Smith" jsmith

Complete User Creation Example

# Create a developer user with full setup
sudo useradd -m \
  -s /bin/bash \
  -c "Jane Developer" \
  -G sudo,docker,developers \
  jdeveloper

# Set password
sudo passwd jdeveloper

# Verify user
id jdeveloper
grep jdeveloper /etc/passwd

Managing User Passwords

Setting and Changing Passwords

# Set password for user
sudo passwd username

# User changes own password
passwd

# Force password change on next login
sudo passwd -e username

# Lock user account
sudo passwd -l username

# Unlock user account
sudo passwd -u username

# Check password status
sudo passwd -S username

Password Aging Policies

# Set password expiration (90 days)
sudo chage -M 90 username

# Set minimum days between changes
sudo chage -m 7 username

# Set warning days before expiration
sudo chage -W 14 username

# Set account expiration date
sudo chage -E 2025-12-31 username

# View password aging info
sudo chage -l username

# Force immediate password expiration
sudo chage -d 0 username

Password Policy Configuration

Edit /etc/login.defs for system-wide defaults:

# Minimum password length
PASS_MIN_LEN 12

# Password aging
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 14

Modifying Users

Using usermod

# Change username
sudo usermod -l newname oldname

# Change home directory
sudo usermod -d /new/home -m username

# Change default shell
sudo usermod -s /bin/zsh username

# Change primary group
sudo usermod -g newgroup username

# Add to additional groups
sudo usermod -aG docker,sudo username

# Change UID
sudo usermod -u 1600 username

# Lock account
sudo usermod -L username

# Unlock account
sudo usermod -U username

# Set account expiration
sudo usermod -e 2025-06-30 username

# Change comment/full name
sudo usermod -c "New Full Name" username

Common Modifications

# Add user to sudo group (Debian/Ubuntu)
sudo usermod -aG sudo username

# Add user to wheel group (RHEL/CentOS)
sudo usermod -aG wheel username

# Add user to multiple groups at once
sudo usermod -aG docker,nginx,developers username

Deleting Users

# Delete user (keep home directory)
sudo userdel username

# Delete user and home directory
sudo userdel -r username

# Force delete (even if user is logged in)
sudo userdel -f username

# Delete user, home, and mail spool
sudo userdel -r username
sudo rm -rf /var/mail/username

Safe User Deletion Script

#!/bin/bash
# safe-delete-user.sh

USERNAME=$1

if [ -z "$USERNAME" ]; then
    echo "Usage: $0 username"
    exit 1
fi

# Backup home directory first
sudo tar -czvf /backup/user-$USERNAME-$(date +%Y%m%d).tar.gz /home/$USERNAME

# Kill user processes
sudo pkill -u $USERNAME

# Remove from all groups
for group in $(groups $USERNAME | cut -d: -f2); do
    sudo gpasswd -d $USERNAME $group 2>/dev/null
done

# Delete user and home
sudo userdel -r $USERNAME

echo "User $USERNAME deleted. Backup saved to /backup/"

Managing Groups

Creating Groups

# Create new group
sudo groupadd groupname

# Create with specific GID
sudo groupadd -g 2000 groupname

# Create system group
sudo groupadd -r systemgroup

Modifying Groups

# Rename group
sudo groupmod -n newname oldname

# Change GID
sudo groupmod -g 2500 groupname

# Add user to group
sudo gpasswd -a username groupname

# Remove user from group
sudo gpasswd -d username groupname

# Set group administrators
sudo gpasswd -A admin1,admin2 groupname

# Set group members
sudo gpasswd -M user1,user2,user3 groupname

Deleting Groups

# Delete group
sudo groupdel groupname

Viewing Group Information

# List all groups
cat /etc/group

# Show user's groups
groups username

# Show group members
getent group groupname

# Show group ID
getent group groupname | cut -d: -f3

Primary vs Secondary Groups

# Every user has one primary group
# Primary group is used for new file creation

# View primary group
id -gn username

# Change primary group
sudo usermod -g newprimary username

# Secondary groups provide additional access
# View all groups
id username

# Add secondary group
sudo usermod -aG secondary username

Understanding /etc/passwd and /etc/shadow

/etc/passwd Format

# username:x:UID:GID:comment:home:shell
jsmith:x:1001:1001:John Smith:/home/jsmith:/bin/bash

# Fields:
# 1. Username
# 2. Password placeholder (x = password in /etc/shadow)
# 3. User ID (UID)
# 4. Primary Group ID (GID)
# 5. Comment/Full name (GECOS)
# 6. Home directory
# 7. Login shell

/etc/shadow Format

# username:password:lastchange:min:max:warn:inactive:expire:reserved
jsmith:$6$xyz...:19500:0:90:7:30:19800:

# Fields:
# 1. Username
# 2. Encrypted password
# 3. Days since Jan 1, 1970 password was last changed
# 4. Minimum days between password changes
# 5. Maximum days password is valid
# 6. Days before expiration to warn
# 7. Days after expiration until account disabled
# 8. Account expiration date
# 9. Reserved

Sudo Access Configuration

Adding Users to Sudo

# Ubuntu/Debian - add to sudo group
sudo usermod -aG sudo username

# RHEL/CentOS - add to wheel group
sudo usermod -aG wheel username

# Verify sudo access
sudo -l -U username

Custom Sudo Rules

Edit sudoers safely with visudo:

sudo visudo

# Allow user to run all commands
username ALL=(ALL:ALL) ALL

# Allow without password
username ALL=(ALL) NOPASSWD: ALL

# Allow specific commands only
username ALL=(ALL) /usr/bin/apt update, /usr/bin/apt upgrade

# Allow commands as specific user
username ALL=(www-data) /usr/bin/systemctl restart nginx

# Group-based sudo
%developers ALL=(ALL) /usr/bin/docker, /usr/bin/docker-compose

Sudoers.d Directory

# Create custom sudo file
sudo nano /etc/sudoers.d/developers

# Add rules
%developers ALL=(ALL) NOPASSWD: /usr/bin/docker *

# Set permissions
sudo chmod 440 /etc/sudoers.d/developers

System Users for Services

# Create system user for application
sudo useradd -r -s /usr/sbin/nologin -d /opt/myapp -c "MyApp Service" myapp

# Create with specific UID in system range
sudo useradd -r -u 500 -s /sbin/nologin serviceuser

# Verify system user
id myapp
getent passwd myapp

Bulk User Management

Create Multiple Users from File

# users.txt format: username:password:UID:GID:comment:home:shell
# create-users.sh

#!/bin/bash
while IFS=: read -r username password uid gid comment home shell; do
    sudo useradd -m -u "$uid" -g "$gid" -c "$comment" -d "$home" -s "$shell" "$username"
    echo "$username:$password" | sudo chpasswd
    sudo passwd -e "$username"  # Force password change
    echo "Created user: $username"
done < users.txt

Using newusers Command

# Create file with user info
cat > /tmp/newusers.txt << EOF
user1:password1:2001:2001:User One:/home/user1:/bin/bash
user2:password2:2002:2002:User Two:/home/user2:/bin/bash
user3:password3:2003:2003:User Three:/home/user3:/bin/bash
EOF

# Create users
sudo newusers /tmp/newusers.txt

# Clean up
rm /tmp/newusers.txt

User Login Management

View Login Information

# Last logins
last username

# Failed login attempts
sudo lastb

# Currently logged in users
who
w

# User login history
lastlog

Restrict Login Times

Edit /etc/security/time.conf:

# Restrict user to business hours
login;*;username;Wk0800-1800

Limit Concurrent Sessions

Edit /etc/security/limits.conf:

# Limit username to 2 sessions
username hard maxlogins 2

# Limit developers group to 3 sessions
@developers hard maxlogins 3

User Quotas

# Enable quotas on filesystem (edit /etc/fstab)
# Add usrquota,grpquota to mount options
/dev/sda1 /home ext4 defaults,usrquota,grpquota 0 2

# Remount filesystem
sudo mount -o remount /home

# Initialize quota database
sudo quotacheck -cum /home
sudo quotaon /home

# Set user quota (soft/hard limits in KB)
sudo setquota -u username 1000000 1200000 0 0 /home

# View quota
sudo quota -u username
sudo repquota /home

Useful Commands Reference

# User Information
id username              # Show UID, GID, groups
whoami                   # Current username
who                      # Logged in users
w                        # Detailed logged in users
finger username          # User information (if installed)

# Search Users
getent passwd            # List all users
getent passwd username   # Specific user
grep username /etc/passwd

# Search Groups
getent group             # List all groups
getent group groupname   # Specific group
groups username          # User's groups

# Account Status
passwd -S username       # Password status
chage -l username        # Password aging info
sudo faillog -u username # Failed login attempts

Best Practices

1. Use meaningful usernames - Follow a consistent naming convention (firstname.lastname, first initial + lastname)
2. Set password policies - Enforce minimum length, complexity, and expiration
3. Use groups for access control - Assign permissions to groups, not individual users
4. Audit regularly - Review user accounts, remove unused accounts
5. Use sudo instead of root - Never share root password, use sudo for administrative tasks
6. Document user creation - Maintain records of who has access to what
7. Disable unused accounts - Lock accounts instead of deleting to preserve audit trail
8. Set proper home directory permissions - Default 700 or 750 for home directories

Security Audit Script

#!/bin/bash
# user-audit.sh - Audit user accounts

echo "=== User Account Audit Report ==="
echo "Date: $(date)"
echo ""

echo "--- Users with UID 0 (root access) ---"
awk -F: '($3 == 0) {print $1}' /etc/passwd

echo ""
echo "--- Users with empty passwords ---"
sudo awk -F: '($2 == "") {print $1}' /etc/shadow

echo ""
echo "--- Users with no password expiration ---"
for user in $(cut -d: -f1 /etc/shadow); do
    exp=$(sudo chage -l $user | grep "Password expires" | cut -d: -f2)
    if [ "$exp" = " never" ]; then
        echo "$user"
    fi
done

echo ""
echo "--- Users who haven't logged in (30+ days) ---"
lastlog | awk 'NR>1 && /Never logged in/ {print $1}'

echo ""
echo "--- Accounts with login shells ---"
grep -v "nologin\|false" /etc/passwd | cut -d: -f1,7

echo ""
echo "--- Sudo access users ---"
getent group sudo wheel 2>/dev/null | cut -d: -f4 | tr ',' '\n'

Conclusion

Effective user and group management is essential for Linux system security and organization. Use groups for access control, enforce strong password policies, and regularly audit accounts. These practices ensure your system remains secure while providing appropriate access to authorized users.

For enterprise environments, consider implementing centralized authentication using LDAP, Active Directory, or FreeIPA for easier management across multiple servers.