User and Group Administration
User and group management essentials
Section titled “User and group management essentials”0. Specs
Section titled “0. Specs”0.1. The What
Section titled “0.1. The What”This tutorial covers basic user and group administration on Debian 13/12 and Ubuntu 24.04/22.04 Servers.
The commands and concepts also work on Debian, Ubuntu, and their derivatives’ desktop environments (Ubuntu, Kubuntu, Xubuntu, Lubuntu, MX Linux, Mint, etc.).
0.2. Sources
Section titled “0.2. Sources”1. User Add and Delete
Section titled “1. User Add and Delete”Add two new users (jdoe and jdoe2) with home directories and bash as their default shell:
sudo useradd -m -s /bin/bash jdoesudo useradd -m -s /bin/bash jdoe2Verify that the users were created successfully:
id jdoegrep jdoe /etc/passwdChange a user’s password interactively:
sudo passwd jdoeChange a user’s password non-interactively (useful for scripts):
echo "jdoe:SecurePass123" | sudo chpasswdDelete a user and their home directory:
sudo userdel -r jdoe2. User Information Files
Section titled “2. User Information Files”/etc/passwd file: This file contains user account information. Each line represents one user with fields separated by colons.
exforge:x:1000:1000:Exforge,,,:/home/exforge:/bin/bashFormat: username:password:UID:GID:GECOS:home_directory:shell
- Username: User login name
- Password:
xindicates the password is stored in/etc/shadow - UID: User ID number
- GID: Primary group ID number
- GECOS: Comment field (typically full name and contact information)
- Home directory: User’s home directory path
- Shell: User’s default shell
/etc/shadow file:
This secure file contains encrypted passwords and password aging information.
exforge:$6$z09H4l.6$h....A/tDL0:18221:0:99999:7:::Format: username:password:last_change:min_age:max_age:warn:inactive:expire
- Username: User login name
- Password: Encrypted password hash
- last_change: Days since Jan 1, 1970 that password was last changed
- min_age: Minimum days required between password changes
- max_age: Maximum days password is valid
- warn: Days before password expires that user is warned
- inactive: Days after password expires until account is disabled
- expire: Date when account will be disabled
/etc/skel directory:
The contents of this directory are copied to new users’ home directories when their accounts are created. You can place default configuration files (like .bashrc, .profile) here.
3. Root user
Section titled “3. Root user”The root account is locked by default in Ubuntu and optionally locked in Debian during installation.
To set a password for root (which unlocks the account):
sudo passwdTo switch to the root account temporarily without unlocking it (uses your sudo privileges):
sudo -iTo switch to another user (requires the target user’s password):
su - usernameTo switch to another user using sudo privileges (doesn’t require the target user’s password):
sudo su - username4. Batch User Creation
Section titled “4. Batch User Creation”Create a text file for user data:
touch users.txtSet secure permissions on the file:
chmod 600 users.txtAdd user information to the file:
sudo nano users.txtUse the following format: username:password:UID:GID:full_name:home_directory:shell
user1:password:::User1:/home/user1:/bin/bashuser2:password:::User2:/home/user2:/bin/bashuser3:password:::User3:/home/user3:/bin/bashProcess the file to create the users:
sudo newusers users.txtVerify the users were created:
grep -E 'user1|user2|user3' /etc/passwdSecurity Note: It’s good practice to change the users’ passwords after batch creation, as the plaintext passwords in the file may be a security risk:
sudo passwd user15. Group Management
Section titled “5. Group Management”View your current group memberships:
groupsOr view all groups on the system:
cat /etc/groupThe /etc/group file format is similar to /etc/passwd: group_name:password:GID:user_list
Create new groups:
sudo groupadd adminssudo groupadd admins2Delete a group:
sudo groupdel admins2List members of a specific group:
getent group adminsAdd a user to a group as a secondary group membership:
sudo usermod -aG admins jdoesudo usermod -a -G admins user1Change a user’s primary group:
sudo usermod -g admins jdoeRemove a user from a group:
sudo gpasswd -d user1 admins6. User Account Modifications
Section titled “6. User Account Modifications”Change a user’s home directory and move the contents:
sudo usermod -d /home/jsmith -m jdoeChange a username:
sudo usermod -l jsmith jdoeLock a user account (prevents login):
sudo passwd -l user1Unlock a user account:
sudo passwd -u user1View password expiration information:
sudo chage -l user17. sudo Group
Section titled “7. sudo Group”Members of the sudo group can use the sudo command to execute commands with elevated privileges.
Configure sudo privileges:
sudo visudoThis command safely edits the sudo configuration file (/etc/sudoers) in the default editor.
Example sudoers configurations with explanations:
Allow all members of the sudo group to run any command as any user:
%sudo ALL=(ALL:ALL) ALL# %sudo - All members of the 'sudo' group# ALL - From any terminal/host# (ALL:ALL) - Can run commands as ANY user and ANY group# ALL - Can run ANY commandSpecific user restriction - user charlie can only run apt as user dscully and group admins on host ubuntu-server:
charlie ubuntu-server=(dscully:admins) /usr/bin/apt# charlie - Username# ubuntu-server - Only on this specific host# (dscully:admins) - Can run commands as user dscully and group admins# /usr/bin/apt - Only the apt commandAllow user ansible to run any command without a password prompt:
ansible ALL=(ALL) NOPASSWD: ALLView your current sudo privileges:
sudo -l