Managing users and groups is a fundamental aspect of Linux system administration.
By the end of this blog, we will learn:
- Create user accounts.
- Create and manage groups.
- Assign users to primary and supplementary groups.
- Lock and verify user accounts.
- Unlock user accounts.
- List all users.
Understanding Key Concepts
Primary Group
The primary group is the default group assigned to a user when they create files or directories.
Every user must belong to exactly one primary group.
By default, when creating a user, the system creates a group with the same name as the username and assigns it as the primary group.
Supplementary Groups
Supplementary groups are additional groups a user belongs to, granting extra permissions beyond their primary group.
A user can belong to multiple supplementary groups.
These are stored in /etc/group
Example Scenario:
Imagine a company where employees belong to different departments. When a new software developer joins, they are assigned to the Developers group as their primary group. However, they also need access to project documentation, so they are added to the Docs group as a supplementary group.
1. Adding Users to the System
Objective: Create user accounts for employees of Meowhoo Labs.
Command:
sudo useradd <username>
sudo useradd user1
sudo useradd user2
sudo useradd user3
sudo useradd user4
o/p:
(no output — users created successfully)
Explanation:
- The
useraddcommand creates a new user. - By default, a home directory is assigned unless specified otherwise.
- The primary group is the same as the username by default.
Verification:
Command:
id user1
o/p:
uid=1001(user1) gid=1001(user1) groups=1001(user1)
The output shows that user1 has:
- UID 1001 (User ID) and GID 1001 (Group ID), meaning they belong to a primary group named user1.
- No supplementary groups, so they only have access to resources assigned to their primary group.
2. Creating the meow-land Group
Objective: Create a group for administrative users.
Command:
sudo groupadd meow-land
o/p:
(no output — group created)
Explanation:
- The
groupaddcommand creates a new group. - Groups allow multiple users to share permissions efficiently.
Verification:
Command:
getent group meow-land
o/p:
meow-land:x:1005:
This output shows that the group meow-land exists with:
-
GID 1005(Group ID). - No users listed, meaning no one is currently a member of this group.
3. Assigning a Primary Group to a User
Objective: Set meow-land as the primary group for user1.
Command:
sudo usermod -g meow-land user1
o/p:
(no output — primary group changed for user1)
Explanation:
- The
usermodcommand modifies user settings. - The
-goption changes the primary group.
Verification
Command:
id user1
o/p:
uid=1001(user1) gid=1005(meow-land) groups=1005(meow-land)
This output shows that:
-
user1has UID 1001 (User ID). - Primary group is now
meow-landwith GID 1005. - Belongs only to the
meow-landgroup (no supplementary groups).
We can also verify the group of user1 by:
Command:
groups user1
o/p:
user1 : meow-land
4. Adding Users to a Supplementary Group
Objective: Add user2, user3, and user4 to meow-land as a supplementary group.
Command:
sudo usermod -aG meow-land user2
sudo usermod -aG meow-land user3
sudo usermod -aG meow-land user4
o/p:
(no output — usermod success)
Verification:
Command:
id user2
o/p:
uid=1002(user2) gid=1002(user2) groups=1002(user2),1005(meow-land)
The output shows the user user2 and their group memberships:
- uid=1002(user2) → user2 has a user ID (UID) of 1002.
- gid=1002(user2) → user2's primary group is 1002(user2).
- groups=1002(user2),1005(meow-land) → user2 is also a supplementary member of the
meow-landgroup (GID 1005).
We can also verify the group of user2 by:
Command:
groups user2
o/p:
user2 : user2 meow-land
We can also check the members of the group meow-land by:
Command
getent group meow-land
o/p
meow-land:x:1005:user2,user3,user4
This output shows that:
- Group name:
meow-land - GID (Group ID): 1005
- Members: user2, user3, user4 (they are part of this supplementary group)
Note: user1 is not listed as a member of meow-land because user1's primary group is set to meow-land (GID 1005), rather than being added as a supplementary group member.
5. Locking a User Account
Objective: Suppose user4 is on a long vacation and we need to temporarily disable the user account of user4 so that he cannot log in to the system.
Command:
sudo usermod -L user4
o/p
(no output — account locked successfully)
Explanation:
- The
-Loption locks an account, preventing password-based login. - The user’s data remains intact.
Verification:
Command
passwd -S user4
o/p
user4 L 09/05/2026 0 99999 7 -1
Explanation:
The output of passwd -S user4 provides the status of the user account user4:
-
L→ The account is locked, meaning the user cannot log in. -
09/05/2026→ Last password change date. -
0→ Minimum days before the password can be changed (0 means no restriction). -
99999→ Maximum days before the password expires (99999 means never expires). -
7→ Warning period (days before expiration to notify the user). -
-1→ Password inactivity period (-1 means no automatic account deactivation).
6. Unlocking a User Account
Objective: After user4's vacation, we need to unlock his account so that he can log in to the system again.
Command:
sudo usermod -U user4
o/p:
usermod: unlocking the user's password would result in a passwordless account.
You should set a password with usermod -p to unlock this user's password.
Oops! Seems like we have encountered an error. This error occurs because the user account user4 does not have a password set, and unlocking it with usermod -U would leave the account passwordless (a security risk). To resolve this, you need to set a password for the user first.
Set a password first:
sudo passwd user4
Then unlock the account:
sudo usermod -U user4
o/p:
(no output — account unlocked successfully)
Verification:
Command
passwd -S user4
o/p:
user4 P 09/05/2026 0 99999 7 -1
Explanation:
The output of passwd -S user4 provides the status of the user account user4:
-
-U→ The account has a usable password (unlocked). -
09/05/2026→ Last password change date. -
0→ Minimum days before the password can be changed (0 means no restriction). -
99999→ Maximum days before the password expires (99999 means never expires). -
7→ Warning period (days before expiration to notify the user). -
-1→ Password inactivity period (-1 means no automatic account deactivation).
This means user4's account is now active with a password set.
7. List All Users
to see all users present in a Linux system, we can check the /etc/passwd file, which contains user account information.
Command
cat /etc/passwd
o/p:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
.
.
.
.
.
.
.
user1:x:1001:1005::/home/user1:/bin/bash # GID 1005 = meow-land
user2:x:1002:1002::/home/user2:/bin/bash
user3:x:1003:1003::/home/user3:/bin/bash
user4:x:1004:1004::/home/user4:/bin/bash
We can see all the users are listed, including system-created users like root, daemon, and bin.
Conclusion
Mastering user and group management is key to Linux system administration. With these commands, we can securely create, modify, lock, and manage user access with confidence.
Top comments (0)