Managing users and groups is a fundamental sysadmin task. Whether you are onboarding a new developer, locking down a compromised account, or setting up shared access to a directory, you need to know how Linux handles identity. This guide covers everything from creating users to configuring sudo access.
How Linux Tracks Users
Linux stores user information in two key files:
/etc/passwd— username, UID, GID, home directory, shell (readable by all)/etc/shadow— hashed passwords and expiry info (root-only)
cat /etc/passwd | grep alok
# alok:x:1001:1001:Alok Kumar:/home/alok:/bin/bash
getent passwd alok # Query user database (works with LDAP too)Each field in /etc/passwd is colon-delimited: username : password placeholder : UID : GID : GECOS : home : shell.
Creating Users
# adduser (interactive, Debian/Ubuntu)
sudo adduser alok
# useradd (low-level, works everywhere — better for scripts)
sudo useradd -m -s /bin/bash -c "Alok Kumar" alok
sudo passwd alok # Set password separatelyKey useradd flags:
-m— create home directory-s /bin/bash— set login shell-c "Full Name"— GECOS comment field-u 1500— specify UID manually-g developers— set primary group-G wheel,docker— add to supplementary groups
Creating a System (Service) User
sudo useradd -r -s /usr/sbin/nologin -d /var/lib/myapp myapp
# -r: system account (UID below 1000)
# -s nologin: cannot log in interactively
# -d: home directory for the serviceModifying Users
sudo usermod -s /bin/zsh alok # Change shell
sudo usermod -aG docker alok # Add to group (append, do not replace)
sudo usermod -L alok # Lock account
sudo usermod -U alok # Unlock account
sudo usermod -e 2026-12-31 alok # Set account expiry date
sudo usermod -d /home/newhome -m alok # Move home directoryWarning: usermod -G group alok without -a replaces all supplementary groups. Always use -aG to append.
Deleting Users
sudo userdel alok # Delete user, keep home directory
sudo userdel -r alok # Delete user AND home directory and mail spoolPassword Management
sudo passwd alok # Set or change password
sudo passwd -l alok # Lock password (prepends ! in /etc/shadow)
sudo passwd -u alok # Unlock password
sudo passwd -e alok # Expire password (force change on next login)
sudo chage -l alok # View password aging info
sudo chage -M 90 alok # Max 90 days before password must change
sudo chage -W 7 alok # Warn 7 days before expiryManaging Groups
cat /etc/group # View all groups
groups alok # Groups alok belongs to
id alok # UID, GID, and all groups
sudo groupadd developers # Create group
sudo groupdel developers # Delete group
sudo gpasswd -a alok developers # Add user to group
sudo gpasswd -d alok developers # Remove user from groupShared Group Directory
sudo mkdir /opt/project
sudo chown root:developers /opt/project
sudo chmod 2775 /opt/project # SGID so new files inherit groupConfiguring sudo Access
Never edit /etc/sudoers directly — use visudo, which validates syntax before saving:
sudo visudoCommon sudoers patterns:
# Give alok full sudo access
alok ALL=(ALL:ALL) ALL
# Allow without password prompt
alok ALL=(ALL) NOPASSWD: ALL
# Allow only specific commands
deploy ALL=(ALL) NOPASSWD: /bin/systemctl restart nginx, /usr/bin/git pullAdding a User to the sudo Group (Debian/Ubuntu)
sudo usermod -aG sudo alok
# On RHEL/Rocky/Fedora, use the "wheel" group:
sudo usermod -aG wheel alokSwitching Users
su - alok # Switch to alok with their environment
su - # Switch to root
sudo -i # Open root shell via sudo
sudo -u alok command # Run command as alokAuditing Users
who # Currently logged-in users
w # Who is logged in and their activity
last | head -20 # Recent login history
lastb | head -10 # Failed login attempts
awk -F: '$3 >= 1000' /etc/passwd # List normal (non-system) usersSummary
User and group management is central to Linux security. Use useradd/adduser to create accounts, usermod to adjust them, and visudo to grant sudo access carefully. Audit login history and lock accounts that are not in use — least privilege is the guiding principle.