Chapter 4: Linux Users & Groups Administration

40 min read ▅▅ Intermediate Updated July 2026

Enterprise User Lifecycle

Standard workflow for production user administration:

Create User ──► Assign Password ──► Assign Groups ──► Grant sudo ──► Disable/Delete Account
              

Commands for Each Stage

  1. Create: sudo useradd -m -s /bin/bash john
  2. Password: sudo passwd john
  3. Groups: sudo usermod -aG developers john
  4. Sudo: sudo usermod -aG sudo john or edit sudoers
  5. Disable: sudo usermod -L john or sudo passwd -l john
  6. Delete: sudo userdel -r john (removes home directory)

Learning Objectives

  • Understand Linux user types.
  • Learn UID and GID concepts.
  • Understand primary and secondary groups.
  • Explore the account database files.
  • Identify user information using common commands.

Prerequisites

Complete Chapters 1–3 before starting this chapter.

1. Introduction

Linux is designed as a multi-user operating system. Every process, file and service runs under a user account. User and group management provides accountability, security and controlled access to system resources.

2. Types of Linux Users

User TypePurposeExample
RootFull administrative control.root
Regular UserInteractive login and daily work.ashu
System UserOperating system services.daemon
Service AccountApplications and databases.mysql, nginx
Users ──► Root | Regular Users | System Users | Service Accounts
                

3. Understanding UID & GID

Linux identifies users and groups using numeric IDs rather than names.

TermDescription
UIDUnique User Identifier.
GIDUnique Group Identifier.
UID 0Reserved for the root user.
$ id
uid=1000(ashu) gid=1000(ashu) groups=1000(ashu),27(sudo)

4. Primary vs Secondary Groups

Each user belongs to one primary group and may belong to multiple secondary groups. Primary group context handles the owner ID of newly created files, while secondary group context allows administrators to grant shared access without changing core file ownership parameters.

5. User Information Files

FilePurpose
/etc/passwdUser account information.
/etc/groupGroup definitions.
/etc/shadowEncrypted password information.
/etc/gshadowSecure group password data.
root:x:0:0:root:/root:/bin/bash

Fields: Username, Password Placeholder, UID, GID, Comment, Home Directory, Login Shell.

6. Useful Information Commands

CommandPurpose
whoamiDisplay current username.
idDisplay UID, GID and groups.
groupsList group membership.
getent passwdDisplay user database lines cleanly.
getent groupDisplay group database fields cleanly.

7. Hands-on Practice

  1. Run whoami, id, and groups.
  2. View the first few entries in /etc/passwd.
  3. Identify your account UID and primary group mappings.

8. Common Beginner Mistakes

  • Confusing usernames with numeric system UIDs.
  • Assuming every account is an interactive login user profile.
  • Editing /etc/passwd manually without extreme caution.
  • Forgetting the append (-a) option with usermod -G.

9. Account Lifecycle Creation (useradd, usermod)

Create new system accounts via useradd and modify them via usermod configurations:

useradd -m -s /bin/bash david # Create account with home folder and bash shell
usermod -aG developers john # Safely append user john to secondary group
usermod -s /bin/zsh john # Switch current login shell properties cleanly

10. Password Aging Configurations (chage)

Audit and enforce robust account credential security settings using the chage utility:

OptionPurpose
-lDisplay user account password aging details.
-MDefine maximum password age lifetime values.
-mDefine minimum password update intervals.
-EDefine explicit account expiration date constraints.
chage -M 90 appadmin # Force account password reset every 90 days

11. Group Administration (groupadd, gpasswd)

Create corporate shared security groupings via groupadd developers. Assign or remove member profiles from existing groups using gpasswd settings:

gpasswd -a john developers # Add user john to developers group context
gpasswd -d john developers # Erase user john from developers group context

12. Switch Identities (su, sudo, visudo)

Use su - to switch identities while loading full environment parameters safely. Authorize individual user accounts or full group directories to run administrative tools via sudo without logging directly into root. **Always** apply ruleset adjustments using the syntax-validating visudo control editor.

%developers ALL=(ALL) ALL # Authorize all developers to execute commands via sudo

13. Production Login Outages

Issue EncounteredPossible Root CauseSuggested Diagnostics Check
Login failuresIncorrect credentials inputpasswd / passwd -S
Account locked outLocked system password statepasswd -u validation
Credentials expiredPassword lifetime age metricschage -l checking
Permission deniedSudo or group configuration rule faultgroups / sudo -l tracking

Commands Covered in This Chapter

  • useradd - Create new user account
  • usermod - Modify user account settings
  • userdel - Delete user account profiles
  • passwd - Change or inspect account passwords
  • groupadd - Create new system group definitions
  • groupmod - Modify system group details
  • groupdel - Delete system group identities
  • gpasswd - Administer user memberships in groups
  • id - Display user and group numeric IDs
  • groups - Show current group memberships
  • chage - Change password expiration parameters
  • su - Switch user identity contexts
  • sudo - Execute commands with elevated permissions