Linux User and Group Management: adduser, passwd, sudo Explained

Managing users and groups is a fundamental sysadmin task. Whether you are onboarding a new developer, locking down a compromised account, or setting up shared access to a directory, you need to know how Linux handles identity. This guide covers everything from creating users to configuring sudo access.

How Linux Tracks Users

Linux stores user information in two key files:

• /etc/passwd — username, UID, GID, home directory, shell (readable by all)
• /etc/shadow — hashed passwords and expiry info (root-only)

cat /etc/passwd | grep alok
# alok:x:1001:1001:Alok Kumar:/home/alok:/bin/bash

getent passwd alok     # Query user database (works with LDAP too)

Each field in /etc/passwd is colon-delimited: username : password placeholder : UID : GID : GECOS : home : shell.

Creating Users

# adduser (interactive, Debian/Ubuntu)
sudo adduser alok

# useradd (low-level, works everywhere — better for scripts)
sudo useradd -m -s /bin/bash -c "Alok Kumar" alok
sudo passwd alok           # Set password separately

Key useradd flags:

• -m — create home directory
• -s /bin/bash — set login shell
• -c "Full Name" — GECOS comment field
• -u 1500 — specify UID manually
• -g developers — set primary group
• -G wheel,docker — add to supplementary groups

Creating a System (Service) User

sudo useradd -r -s /usr/sbin/nologin -d /var/lib/myapp myapp
# -r: system account (UID below 1000)
# -s nologin: cannot log in interactively
# -d: home directory for the service

Modifying Users

sudo usermod -s /bin/zsh alok           # Change shell
sudo usermod -aG docker alok            # Add to group (append, do not replace)
sudo usermod -L alok                    # Lock account
sudo usermod -U alok                    # Unlock account
sudo usermod -e 2026-12-31 alok         # Set account expiry date
sudo usermod -d /home/newhome -m alok   # Move home directory

Warning: usermod -G group alok without -a replaces all supplementary groups. Always use -aG to append.

Deleting Users

sudo userdel alok            # Delete user, keep home directory
sudo userdel -r alok         # Delete user AND home directory and mail spool

Password Management

sudo passwd alok             # Set or change password
sudo passwd -l alok          # Lock password (prepends ! in /etc/shadow)
sudo passwd -u alok          # Unlock password
sudo passwd -e alok          # Expire password (force change on next login)
sudo chage -l alok           # View password aging info
sudo chage -M 90 alok        # Max 90 days before password must change
sudo chage -W 7 alok         # Warn 7 days before expiry

Managing Groups

cat /etc/group                        # View all groups
groups alok                           # Groups alok belongs to
id alok                               # UID, GID, and all groups

sudo groupadd developers              # Create group
sudo groupdel developers              # Delete group
sudo gpasswd -a alok developers       # Add user to group
sudo gpasswd -d alok developers       # Remove user from group

Shared Group Directory

sudo mkdir /opt/project
sudo chown root:developers /opt/project
sudo chmod 2775 /opt/project          # SGID so new files inherit group

Configuring sudo Access

Never edit /etc/sudoers directly — use visudo, which validates syntax before saving:

sudo visudo

Common sudoers patterns:

# Give alok full sudo access
alok  ALL=(ALL:ALL) ALL

# Allow without password prompt
alok  ALL=(ALL) NOPASSWD: ALL

# Allow only specific commands
deploy ALL=(ALL) NOPASSWD: /bin/systemctl restart nginx, /usr/bin/git pull

Adding a User to the sudo Group (Debian/Ubuntu)

sudo usermod -aG sudo alok
# On RHEL/Rocky/Fedora, use the "wheel" group:
sudo usermod -aG wheel alok

Switching Users

su - alok              # Switch to alok with their environment
su -                   # Switch to root
sudo -i                # Open root shell via sudo
sudo -u alok command   # Run command as alok

Auditing Users

who                     # Currently logged-in users
w                       # Who is logged in and their activity
last | head -20         # Recent login history
lastb | head -10        # Failed login attempts
awk -F: '$3 >= 1000' /etc/passwd   # List normal (non-system) users

Summary

User and group management is central to Linux security. Use useradd/adduser to create accounts, usermod to adjust them, and visudo to grant sudo access carefully. Audit login history and lock accounts that are not in use — least privilege is the guiding principle.

Frequently Asked Questions

• What is the difference between adduser and useradd?
  useradd is a low-level binary available on all Linux distributions. It creates the user entry but does minimal setup by default — no home directory, no password, no shell — unless you specify options. adduser is a higher-level Debian/Ubuntu script that wraps useradd with sensible defaults: it creates the home directory, sets up skeleton files from /etc/skel, prompts for a password, and asks for identifying information. Use adduser on Debian/Ubuntu for interactive user creation; use useradd in scripts on any distribution when you need precise control over every option.
• How do I add a user to the sudo group?
  On Debian/Ubuntu, add the user to the sudo group: sudo usermod -aG sudo username. The -aG means "append to group" — without -a, the user is removed from all other supplementary groups. The user needs to log out and back in (or run newgrp sudo) for the change to take effect. On RHEL/Rocky/Fedora, the equivalent group is wheel: sudo usermod -aG wheel username. Confirm it worked: groups username or id username.
• How do I lock or disable a user account?
  Lock the account with sudo passwd -l username — this prepends a ! to the password hash in /etc/shadow, making password-based login impossible. The account still exists and running processes under that user are not affected. To also prevent SSH key-based login (which bypasses the password), set the shell to a non-login shell: sudo usermod -s /sbin/nologin username. To fully re-enable the account: sudo passwd -u username to unlock and restore the original shell.
• How do I see which groups a user belongs to?
  Run groups username to list all groups. For more detail including GIDs, run id username. The first group listed by id is the primary group (used as the group owner for new files). Additional groups are supplementary and grant extra permissions. Changes made with usermod -aG do not take effect for the current session — the user must log out and back in, or run newgrp groupname to switch to the new group in the current shell.
• What is the difference between /etc/passwd and /etc/shadow?
  /etc/passwd is world-readable and stores basic account information: username, UID, GID, home directory, and shell. In historical Unix systems it also stored the password hash, but this was a security risk since any user could read it. Modern systems store the actual password hash in /etc/shadow, which is readable only by root. The x in the password field of /etc/passwd indicates the password is in shadow. /etc/shadow also stores password aging information: expiry date, last change date, and minimum/maximum days between changes.