Chapter 4: Linux Users & Groups Administration

40 min read ▅▅ Intermediate 📅 Updated July 2026

Enterprise User Lifecycle

Standard workflow for production user administration[cite: 40]:

Create User ──► Assign Password ──► Assign Groups ──► Grant sudo ──► Disable/Delete Account[cite: 40]
              

Commands for Each Stage

  1. Create: sudo useradd -m -s /bin/bash john[cite: 40]
  2. Password: sudo passwd john[cite: 40]
  3. Groups: sudo usermod -aG developers john[cite: 40]
  4. Sudo: sudo usermod -aG sudo john or edit sudoers[cite: 40]
  5. Disable: sudo usermod -L john or sudo passwd -l john[cite: 40]
  6. Delete: sudo userdel -r john (removes home directory)[cite: 40]

🎯 Learning Objectives

  • Understand Linux user types[cite: 40].
  • Learn UID and GID concepts[cite: 40].
  • Understand primary and secondary groups[cite: 40].
  • Explore the account database files[cite: 40].
  • Identify user information using common commands[cite: 40].

📋 Prerequisites

Complete Chapters 1–3 before starting this chapter[cite: 40].

1. Introduction

Linux is designed as a multi-user operating system[cite: 40]. Every process, file and service runs under a user account[cite: 40]. User and group management provides accountability, security and controlled access to system resources[cite: 40].

2. Types of Linux Users

User TypePurposeExample
RootFull administrative control[cite: 40].root[cite: 40]
Regular UserInteractive login and daily work[cite: 40].ashu[cite: 40]
System UserOperating system services[cite: 40].daemon[cite: 40]
Service AccountApplications and databases[cite: 40].mysql, nginx[cite: 40]
Users ──► Root | Regular Users | System Users | Service Accounts[cite: 40]
                

3. Understanding UID & GID

Linux identifies users and groups using numeric IDs rather than names[cite: 40].

TermDescription
UIDUnique User Identifier[cite: 40].
GIDUnique Group Identifier[cite: 40].
UID 0Reserved for the root user[cite: 40].
$ id
uid=1000(ashu) gid=1000(ashu) groups=1000(ashu),27(sudo)[cite: 40]

4. Primary vs Secondary Groups

Each user belongs to one primary group and may belong to multiple secondary groups[cite: 40]. Primary group context handles the owner ID of newly created files, while secondary group context allows administrators to grant shared access without changing core file ownership parameters[cite: 40].

5. User Information Files

FilePurpose
/etc/passwdUser account information[cite: 40].
/etc/groupGroup definitions[cite: 40].
/etc/shadowEncrypted password information[cite: 40].
/etc/gshadowSecure group password data[cite: 40].
root:x:0:0:root:/root:/bin/bash[cite: 40]

Fields: Username, Password Placeholder, UID, GID, Comment, Home Directory, Login Shell[cite: 40].

6. Useful Information Commands

CommandPurpose
whoamiDisplay current username[cite: 40].
idDisplay UID, GID and groups[cite: 40].
groupsList group membership[cite: 40].
getent passwdDisplay user database lines cleanly[cite: 40].
getent groupDisplay group database fields cleanly[cite: 40].

7. Hands-on Practice

  1. Run whoami, id, and groups[cite: 40].
  2. View the first few entries in /etc/passwd[cite: 40].
  3. Identify your account UID and primary group mappings[cite: 40].

8. Common Beginner Mistakes

  • Confusing usernames with numeric system UIDs[cite: 40].
  • Assuming every account is an interactive login user profile[cite: 40].
  • Editing /etc/passwd manually without extreme caution[cite: 40].
  • Forgetting the append (-a) option with usermod -G[cite: 40].

9. Account Lifecycle Creation (useradd, usermod)

Create new system accounts via useradd and modify them via usermod configurations[cite: 40]:

useradd -m -s /bin/bash david       # Create account with home folder and bash shell[cite: 40]
usermod -aG developers john         # Safely append user john to secondary group[cite: 40]
usermod -s /bin/zsh john            # Switch current login shell properties cleanly[cite: 40]

10. Password Aging Configurations (chage)

Audit and enforce robust account credential security settings using the chage utility[cite: 40]:

OptionPurpose
-lDisplay user account password aging details[cite: 40].
-MDefine maximum password age lifetime values[cite: 40].
-mDefine minimum password update intervals[cite: 40].
-EDefine explicit account expiration date constraints[cite: 40].
chage -M 90 appadmin   # Force account password reset every 90 days[cite: 40]

11. Group Administration (groupadd, gpasswd)

Create corporate shared security groupings via groupadd developers[cite: 40]. Assign or remove member profiles from existing groups using gpasswd settings[cite: 40]:

gpasswd -a john developers    # Add user john to developers group context[cite: 40]
gpasswd -d john developers    # Erase user john from developers group context[cite: 40]

12. Switch Identities (su, sudo, visudo)

Use su - to switch identities while loading full environment parameters safely[cite: 40]. Authorize individual user accounts or full group directories to run administrative tools via sudo without logging directly into root[cite: 40]. **Always** apply ruleset adjustments using the syntax-validating visudo control editor[cite: 40].

%developers ALL=(ALL) ALL   # Authorize all developers to execute commands via sudo[cite: 40]

13. Production Login Outages

Issue EncounteredPossible Root CauseSuggested Diagnostics Check
Login failuresIncorrect credentials inputpasswd / passwd -S[cite: 40]
Account locked outLocked system password statepasswd -u validation[cite: 40]
Credentials expiredPassword lifetime age metricschage -l checking[cite: 40]
Permission deniedSudo or group configuration rule faultgroups / sudo -l tracking[cite: 40]

Commands Covered in This Chapter

  • useradd - Create new user account[cite: 40]
  • usermod - Modify user account settings[cite: 40]
  • userdel - Delete user account profiles[cite: 40]
  • passwd - Change or inspect account passwords[cite: 40]
  • groupadd - Create new system group definitions[cite: 40]
  • groupmod - Modify system group details[cite: 40]
  • groupdel - Delete system group identities[cite: 40]
  • gpasswd - Administer user memberships in groups[cite: 40]
  • id - Display user and group numeric IDs[cite: 40]
  • groups - Show current group memberships[cite: 40]
  • chage - Change password expiration parameters[cite: 40]
  • su - Switch user identity contexts[cite: 40]
  • sudo - Execute commands with elevated permissions[cite: 40]