User management from the command line

This is a short article about the most common practices in user and group management from the command line. The information is specific to Fedora Core and Red Hat based distros, but would do for any distribution probably with slight differences in the command options.

Although Fedora comes with an excellent graphical tool to manage your users (system-config-users), there are times, for example when administering a server through SSH, that user management has to be done from command line.

All operations can be done using the following commands:
id, useradd, usermod, userdel, groupadd, groupdel, groupmod, passwd

These exist in every Linux distribution with slight differences in each command’s supported options. The following info applies to Fedora Core and other Red Had based distros.

User info

The id command prints information for a certain user. Use it like this:

# id username

Create a user

To create a new user:

# useradd -c "My Example User" username
# passwd username

The created user is initially in an inactive state. To activate the user you have to assign a password with passwd. Some useful useradd options include the following:
-c : sets a comment for the user.
-s : is used in order to define the user’s default login shell. If not used, then the system’s default shell becomes the user’s default login shell.
-r : creates a user with UID<500 (system account)
-d : sets the user’s home directory. If not used, the default home directory is created (/home/username/)
-M : the home directory is not created. This is useful when the directory already exists.

To create a user that does not have the ability to login to a shell, issue the following commands:

# useradd -c "This user cannot login to a shell" -s /sbin/nologin username
# passwd username

Change the user’s password

To change a user’s password:

# passwd username

If it’s used without specifying a username, then the currently logged in user’s password is changed.

Add a user to a group

Usermod is used to modify a user account’s settings. Check the man page for all the available options. One useful use of this command is to add a user to a group:

# usermod -a -G group1 username

The -a option is critical. The user is added to group1 while he continues to be a member of other groups. If it’s not used, then the user is added only to group1 and removed from any other groups. So, take note!

Remove a user from a group

Removing a user from a group is a bit trickier. Unfortunately, there is no direct command, at least not in Fedora or RHEL, that can do that from command line. At first you need to get a list of groups that your user is a member of:

# id -nG username
group1 group2 group3 ....

Then you need to put all these groups as a comma-separated list to the usermod -G option, except for the group from which you want the user to be removed. So, to remove the user from group2, issue the command:

# usermod -G group1,group3,... username

Lock and Unlock user accounts

Other common usermod uses are to lock and unlock user accounts. To lock out a user:

# usermod -L username

To unlock the user:

# usermod -U username

Delete a user

Userdel is used to delete a user account. If the -r option is used then the user’s home directory and mail spool are deleted too:

# userdel -r username

Create a new group

To create a new group, issue the command:

# groupadd groupname

The -r option can be used to create a group with GID<500 (system).

Change a group’s name

Groupmod can be used to change a group name:

# groupmod -n newgroupname groupname

Delete a group

Groupdel can delete a group:

# groupdel groupname

In order to delete a user’s primary group (usually this is the group with name equal to the username) the respective user must be deleted previously.

You can find more info in the man pages, but these will do in most cases.

User management from the command line by George Notaras is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright © 2005 - Some Rights Reserved

14 responses on “User management from the command line”

Broeisi January 1, 2006 at 17:40Permalink →

usermod doesn’t have an -a option in linux.
When Issue usermod -a -G group1 user you get an error:

kitana ~ # usermod -a -G floppy broeisi
usermod: invalid option — a
Usage: usermod [-u uid [-o]] [-g group] [-G group,…]
[-d home [-m]] [-s shell] [-c comment] [-l new_name]
[-f inactive] [-e expire] [-p passwd] [-L|-U] name

Take note of that.

George Notaras Post authorJanuary 2, 2006 at 03:07Permalink →

Hi, what distribution do you use? As I have written in this small tutorial:

These exist in every Linux distribution with slight differences in each command’s supported options. The following info applies to Fedora Core and other Red Had based distros.

Maybe the -a option is Red Hat specific.
Differences do exists between distributions. For example, usermod in SUSE Linux has an option to remove a user from a certain group. Contrariwise, the direct removal of a user from a group is not possible in Red Hat based distros. Debian has its own tricks, but I am not too experienced with it.
Probably there are more differences than the ones you or I have mentioned.

Broeisi January 7, 2006 at 22:35Permalink →

I use Gentoo…

didn’t know that there were differences between the distros.
Typically Linux distro….. pffttt…

But I guess that gpasswd has the same option on all distros..but maybe I’m wrong here too.

Paul November 3, 2006 at 15:33Permalink →

I get the same no -a option error when attempting this on Fedora Core 3 distro.

Any ideas what I should do instead?

Regards,

Paul

Paul November 3, 2006 at 15:36Permalink →

answered my own question.
omitting the -a just meant that the user was added to the new group. It didn’t delete me from my home group.

so doing usermod -G psb svn

left me as a member of psb and svn groups. Not just psb as previously.

George Notaras Post authorNovember 4, 2006 at 06:54Permalink →

This is very interesting. I don’t have a Fedora 3 installation handy, but I will try to investigate the “-a” switch issue and modify this document accordingly.
Thanks for your feedback.

Sarkis Karagozian November 27, 2006 at 05:56Permalink →

As a beginner to Linux, I learned a lot from these commands, comments.
One comment I have:
Before adding a user to a group, we need to add/create a the group [group1]
in the example. i.e:

# groupadd group1 (then add username to group)
# usermod -G group1 username

Thanks

George Notaras Post authorNovember 27, 2006 at 11:10Permalink →

Exactly. First we create the group and then we add the user to it.

But, take a note that on a Red Hat/Fedora system, there is the -a switch which is actually required to be used in such an occasion. If -a is not included in usermod (like it happens in your usermod command), then the user will be removed from all groups and it will be added to the group1 group only. This is how it works on these systems. So, it should be:

# groupadd group1
# usermod -a -G group1 username

From the usermod man page on fedora 6 about the -G switch:

If the user is currently a member of a group which is not listed, the user will be removed from the group. This behaviour can be changed via -a option, which appends user to the current supplementary group list.

Please refer to your distribution’s usermod man page, so to know exactly if a -a switch is supported or if there is another switch that should be used when adding a user to a group.

Zarquan January 2, 2007 at 21:38Permalink →

If your user accounts are in a LDAP server, you can’t use usermod to add them to a local group.

[root@localhost ~]# usermod -a -G localgroup Frog
usermod: Frog not found in /etc/passwd

Hand editing the /etc/group file and adding the username seems to work.

vijay February 20, 2007 at 06:09Permalink →

Hi,
what is the command to list all the users in system.

George Notaras Post authorFebruary 20, 2007 at 08:00Permalink →

Hi, actually you should decide which users you would like to list. System accounts or normal users? Users with a home directory or with the ability to use a shell or just print all of them? There is no such command. The users are kept in the /etc/passwd file.

Also, in order to list all the currently logged-in users you issue any of the following commands:

users

or (this displays more info):

I hope these help.

chenna October 12, 2011 at 22:05Permalink →

how to lock entire group users using a single line command

George Notaras Post authorOctober 18, 2011 at 15:35Permalink →

Unfortunately it’s not possible to lock all the members of a group. As a workaround, I’d suggest looping through the group members and calling the usermod -L ... for each user.

Nikesh February 4, 2013 at 01:49Permalink →

to remove a user from a particular group .. you can use gpasswd command
look for man gpasswd

Broeisi January 1, 2006 at 17:40Permalink →

usermod doesn’t have an -a option in linux.
When Issue usermod -a -G group1 user you get an error:

kitana ~ # usermod -a -G floppy broeisi
usermod: invalid option — a
Usage: usermod [-u uid [-o]] [-g group] [-G group,…]
[-d home [-m]] [-s shell] [-c comment] [-l new_name]
[-f inactive] [-e expire] [-p passwd] [-L|-U] name

Take note of that.
George Notaras Post authorJanuary 2, 2006 at 03:07Permalink →

Hi, what distribution do you use? As I have written in this small tutorial:

These exist in every Linux distribution with slight differences in each command’s supported options. The following info applies to Fedora Core and other Red Had based distros.

Maybe the -a option is Red Hat specific.
Differences do exists between distributions. For example, usermod in SUSE Linux has an option to remove a user from a certain group. Contrariwise, the direct removal of a user from a group is not possible in Red Hat based distros. Debian has its own tricks, but I am not too experienced with it.
Probably there are more differences than the ones you or I have mentioned.
Broeisi January 7, 2006 at 22:35Permalink →

I use Gentoo…

didn’t know that there were differences between the distros.
Typically Linux distro….. pffttt…

But I guess that gpasswd has the same option on all distros..but maybe I’m wrong here too.
Paul November 3, 2006 at 15:33Permalink →

I get the same no -a option error when attempting this on Fedora Core 3 distro.

Any ideas what I should do instead?

Regards,

Paul
Paul November 3, 2006 at 15:36Permalink →

answered my own question.
omitting the -a just meant that the user was added to the new group. It didn’t delete me from my home group.

so doing usermod -G psb svn

left me as a member of psb and svn groups. Not just psb as previously.
George Notaras Post authorNovember 4, 2006 at 06:54Permalink →

This is very interesting. I don’t have a Fedora 3 installation handy, but I will try to investigate the “-a” switch issue and modify this document accordingly.
Thanks for your feedback.
Sarkis Karagozian November 27, 2006 at 05:56Permalink →

As a beginner to Linux, I learned a lot from these commands, comments.
One comment I have:
Before adding a user to a group, we need to add/create a the group [group1]
in the example. i.e:

# groupadd group1 (then add username to group)
# usermod -G group1 username

Thanks
George Notaras Post authorNovember 27, 2006 at 11:10Permalink →
Exactly. First we create the group and then we add the user to it.

But, take a note that on a Red Hat/Fedora system, there is the -a switch which is actually required to be used in such an occasion. If -a is not included in usermod (like it happens in your usermod command), then the user will be removed from all groups and it will be added to the group1 group only. This is how it works on these systems. So, it should be:
```
# groupadd group1
# usermod -a -G group1 username
```
From the usermod man page on fedora 6 about the -G switch:

If the user is currently a member of a group which is not listed, the user will be removed from the group. This behaviour can be changed via -a option, which appends user to the current supplementary group list.

Please refer to your distribution’s usermod man page, so to know exactly if a -a switch is supported or if there is another switch that should be used when adding a user to a group.
Zarquan January 2, 2007 at 21:38Permalink →

If your user accounts are in a LDAP server, you can’t use usermod to add them to a local group.

[root@localhost ~]# usermod -a -G localgroup Frog
usermod: Frog not found in /etc/passwd

Hand editing the /etc/group file and adding the username seems to work.
vijay February 20, 2007 at 06:09Permalink →

Hi,
what is the command to list all the users in system.
George Notaras Post authorFebruary 20, 2007 at 08:00Permalink →
Hi, actually you should decide which users you would like to list. System accounts or normal users? Users with a home directory or with the ability to use a shell or just print all of them? There is no such command. The users are kept in the /etc/passwd file.

Also, in order to list all the currently logged-in users you issue any of the following commands:
```
users
```
or (this displays more info):
```
w
```
I hope these help.
chenna October 12, 2011 at 22:05Permalink →

how to lock entire group users using a single line command
1. George Notaras Post authorOctober 18, 2011 at 15:35Permalink →
  
  Unfortunately it’s not possible to lock all the members of a group. As a workaround, I’d suggest looping through the group members and calling the usermod -L ... for each user.
Nikesh February 4, 2013 at 01:49Permalink →

to remove a user from a particular group .. you can use gpasswd command
look for man gpasswd