User & Group Administration

Intermediate Linux Server
useraddusermodgroupaddpasswdchagevisudo/etc/passwd

Objective

Create and manage user accounts and groups, configure password policies, and set up sudo access on a Linux server.

Tools & Technologies

  • useradd
  • usermod
  • groupadd
  • passwd
  • chage
  • visudo
  • /etc/passwd

Key Commands

useradd -m -s /bin/bash -G sudo alice
usermod -aG docker bob
chage -l alice
visudo
passwd --expire alice

Architecture Overview

graph TD subgraph /etc/passwd P[alice:x:1001:1001:Alice:/home/alice:/bin/bash] end subgraph /etc/shadow S[alice:$6$hash...:19000:0:99999:7:::] end subgraph /etc/group G[sudo:x:27:alice,bob] G2[docker:x:999:bob] end P -->|UID/GID| S P -->|primary group| G style P fill:#1a1a2e,stroke:#00d4ff,color:#e0e0e0 style S fill:#1a1a2e,stroke:#ff4444,color:#ff4444

Step-by-Step Process

01
Create Users

useradd creates the account. adduser (Debian/Ubuntu) is the more interactive wrapper.

# Create user with home dir and bash
sudo useradd -m -s /bin/bash alice
sudo passwd alice

# Debian/Ubuntu interactive version
sudo adduser alice

# Create system user (no home, no login)
sudo useradd -r -s /usr/sbin/nologin appuser
02
Manage Groups

Add users to supplementary groups. Use -a (append) with -G to avoid removing existing group memberships.

sudo groupadd developers

# Add to supplementary group (MUST use -a)
sudo usermod -aG sudo alice
sudo usermod -aG docker,developers bob

# Verify
groups alice
id bob
03
Password Policy

Set password expiry and complexity requirements.

# Force password change on next login
sudo passwd --expire alice

# View password aging info
sudo chage -l alice

# Set max age 90 days, warn 7 days before
sudo chage -M 90 -W 7 alice

# Lock/unlock account
sudo passwd -l alice  # lock
sudo passwd -u alice  # unlock
04
sudo Configuration

Grant specific sudo privileges using visudo (never edit /etc/sudoers directly).

sudo visudo
# Add lines:
alice ALL=(ALL:ALL) ALL           # full sudo
bob ALL=(ALL) NOPASSWD: /bin/ls   # specific command
%developers ALL=(ALL) /usr/bin/apt  # group

# Or drop a file in:
sudo visudo -f /etc/sudoers.d/alice

Challenges & Solutions

  • usermod -G without -a replaces all supplementary groups
  • Never edit /etc/sudoers directly — visudo validates syntax

Key Takeaways

  • /etc/sudoers.d/ allows modular sudo config without editing the main file
  • Lock accounts with passwd -l rather than deleting — preserves UID for file ownership