Managing Users and Groups

Nov 1, 2025
rhcsa

User Properties

Fedora Docs

Create and Manage Users

  • useradd: add a user
  • usermod: modify a user
  • userdel: delete a user
  • passwd: change a user password

Defining defaults

  • Write default settings to /etc/login.defs
  • Files in /etc/skel are copied to the user home directory upon creation.
  • RHEL 10 uses Pluggable Authentication Modules (PAM) which is used to define more advanced default settings (not RHCSA topic). See authselect.

Limit user access

Lock user account, anna

usermod -L anna

Unlock user account, anna

usermod -U anna

Set expiration date for user account, bill

usermod -e 2032-01-01 bill

Set shell to /sbin/nologin for a user, application, that is not intended to login at all

usermod -s /sbin/nologin application

Creating and Managing Groups

  • groupadd: add a group
  • groupmod: modify a group
  • groupdel: delete a group

Create a new group, support-desk

groupadd support-desk

Add user, somebody, to group, support. Without -a (append) the current list of groups would be overwritten.

usermod -aG support somebody

Find all members of a group, support

grep support /etc/group

Managing password properties

Set password age properties for user, somebody

chage somebody

Knowledge Check

  1. Where are user properties managed?
  2. Where are user password properties managed?
  3. Explain the difference between primary and secondary groups
  4. Where are primary groups managed?
  5. Where are secondary groups managed?
  6. How can you temporarily change the primary group?
  7. How can you print all the groups that a user is a member of?
Answers
  1. User properties are managed in /etc/passwd
    • Name: name of the account
    • Password: authentication secret, may be disabled
    • UID: a unique identifier for users
    • GID: ID of the primary group
    • GECOS: additional non-mandatory information about the user
    • Home directory: environment where users create personal files
    • Shell: the program that will be started after successful authentication
  2. Password properties are managed in /etc/shadow
    • Username
    • Password
    • Last password change
    • Minimum - minimum days between password changes
    • Maximum - maximum days password is valid
    • Warn - number of days before expiration that the user is warned
    • Inactive - days after expiration that the user is disabled
    • Expire - expiration date of account (expressed as days since Jan 1, 1970)
  3. For filesystem permission purposes, each user must be a member of at least one group
  4. Primary group membership is managed through /etc/passwd
  5. Secondary group membership is managed through /etc/group
  6. Temporarily set primary group membership using newgrp
  7. Use id {user} to see which groups a user is a member of

Lab Exercise

  1. Ensure that new users are required to reset their passwords every 90 days
  2. Ensure that all new users get the file, welcome, with the contents “hello” created in their home directory
  3. Create users andrew, peter, sally, and susan
  4. Set the passwords for andrew and sally, but disable the passwords for peter and susan
  5. Create the groups engineers and designers. Make andrew and sally members of engineers. Make peter and susan members of designers.
Solution
  1. Set PASS_MAX_DAYS in /etc/login.defs
  2. echo hello > /etc/skel/welcome
  3. useradd andrew; useradd peter; ...
  4. passwd andrew; passwd sally; passwd -d peter; passwd -d susan
  5. groupadd engineers; groupadd designers; usermod -aG engineers andrew; ...

- Clint Jordan