Managing Users and Groups in Linux: A Complete Guide

Short introduction (2–3 sentences)
Managing users and groups is a core part of Linux system administration — it controls who can log in, access files, and run services. This guide walks you through the essentials with practical commands and examples so you can add, modify, and secure users and groups confidently.

Understanding users, groups, and system accounts

Linux uses user and group accounts to control access. Every user has a unique UID and is typically part of one primary group (GID) and possibly multiple supplementary groups. System accounts (like daemon, www-data) are used by services and usually have low UIDs.

Terminal examples:

# Show the current user's ID and groups
$ id
uid=1000(alice) gid=1000(alice) groups=1000(alice),27(sudo),1001(dev)

# Look up entries in passwd and group files
$ getent passwd alice
alice:x:1000:1000:Alice:/home/alice:/bin/bash

$ getent group sudo
sudo:x:27:alice,bob

Notes:

• /etc/passwd stores user metadata, /etc/shadow stores encrypted passwords, and /etc/group lists groups.
• Use getent to query NSS (Name Service Switch) aware systems (works with LDAP, NIS, etc.).

Creating and managing users

Create users with either useradd (low-level) or adduser (friendly wrapper on Debian/Ubuntu). You can set home directories, shells, and more.

Examples:

# Create a user with a home directory (-m) and specify the shell
$ sudo useradd -m -s /bin/bash -c "Alice Smith" alice

# Set or change the user's password
$ sudo passwd alice
Enter new UNIX password:
Retype new UNIX password:

# Easier on Debian/Ubuntu:
$ sudo adduser bob
# adduser will prompt interactively for full name, password, etc.

Modifying and removing:

# Change a user's login name
$ sudo usermod -l alicia alice

# Add an existing user to a supplementary group
$ sudo usermod -aG docker,dev alice

# Delete a user and remove their home directory and mail spool
$ sudo userdel -r bob

Tips:

• Use -m to create the home directory and copy files from /etc/skel.
• Always use -a with usermod when modifying group membership to avoid removing other groups.

Creating and managing groups

Use groupadd, groupmod and groupdel for group management. Group membership controls file access and some service permissions.

Examples:

# Create a new group
$ sudo groupadd dev

# Add a user to a group (alternative to usermod -aG)
$ sudo gpasswd -a alice dev

# Remove a user from a group
$ sudo gpasswd -d alice dev

# Change a group's GID
$ sudo groupmod -g 2000 dev

# Delete a group
$ sudo groupdel dev

Check membership:

# List groups for a user
$ groups alice

# Inspect /etc/group directly
$ getent group dev
dev:x:1001:alice,bob

Notes:

• Primary group is set in /etc/passwd; supplementary groups are listed in /etc/group.
• Use consistent GIDs if you share files across machines (e.g., via NFS).

File ownership, permissions, and ACLs

Users and groups determine who can read, write, or execute files. Understand owner/group bits, special bits, and when to use ACLs.

Basic examples:

# Change owner and group of a file
$ sudo chown alice:dev /var/www/html/index.html

# Set common permissions: user rwx, group rw, others r
$ chmod 764 /var/www/html/index.html

# Symbolic form
$ chmod u=rwx,g=rw,o=r /var/www/html/index.html

Checking and using ACLs:

# Show ACLs on a file
$ getfacl /var/www/html

# Give group 'dev' write access using ACL
$ sudo setfacl -m g:dev:rwX /var/www/html

Special bits:

• Setuid (u+s) and setgid (g+s) can let binaries run with file owner/group privileges.

setgid on a directory (chmod g+s) makes new files inherit the directory's group — useful for shared project dirs:

$ sudo mkdir /srv/project
$ sudo chown :dev /srv/project
$ sudo chmod 2775 /srv/project   # g+s is the '2' in 2775

Automation and practical examples

Batch-creating users, enforcing password policies, and scripting repetitive tasks save time.

Batch add users from a text file (username:uid:full name):

# users.txt example line: alice:1001:Alice Smith
while IFS=: read -r name uid comment; do
  sudo useradd -m -u "$uid" -c "$comment" "$name"
  sudo passwd -e "$name"   # force password change on first login
done < users.txt

Create a new project directory with shared group access:

$ sudo groupadd projectx
$ sudo usermod -aG projectx alice
$ sudo mkdir /srv/projectx
$ sudo chown :projectx /srv/projectx
$ sudo chmod 2770 /srv/projectx   # group can rwx, others none, new files inherit group

Check user login history and currently logged users:

$ lastlog -u alice
$ who

Security and policy reminders:

• Use PAM and passwdqc or cracklib to set password strength rules.

Enforce password aging with chage:

$ sudo chage -M 90 -m 7 -W 14 alice  # max 90 days, min 7, warn 14 days

Common Pitfalls

• Deleting a user without removing or preserving files:
  • If you run userdel without -r, home directories and files remain, possibly orphaning data.
• Forgetting to use -a with usermod when adding supplementary groups:
• Mismanaging shared-directory permissions (forgetting setgid or ACLs):
  • Without setgid or proper ACLs, files created by different users may not be group-writable, breaking workflows.

Right:

$ sudo usermod -aG sudo alice # appends to groups

Wrong:

$ sudo usermod -G sudo alice  # replaces group list

Example:

$ sudo userdel bob       # home still exists
$ sudo userdel -r bob    # removes home and mail spool

Next Steps

• Practice in a safe environment: create a VM or container and try adding, modifying, and deleting users and groups.
• Learn PAM and password policy configuration to enforce secure authentication practices.
• Explore centralized account management (LDAP/SSSD) for multi-server environments.

👉 Explore more IT books and guides at dargslan.com.