Manage Linux User Accounts with useradd, usermod, and userdel

Introduction

In this lab, you will learn the essential skills for managing user accounts on a Linux system. You will practice the complete lifecycle of user administration, from creating and securing new accounts to modifying their properties and, finally, deleting them safely. This hands-on experience is fundamental for any system administrator responsible for maintaining a multi-user Linux environment.

You will begin by using the useradd command to create a new user and their home directory, then secure the account with passwd. Next, you will explore the differences between su and su - for switching users and learn how to lock and unlock accounts. You will also modify user attributes, such as password aging policies with chage and group memberships with usermod. The lab concludes by demonstrating how to properly remove a user and their associated data using the userdel command.

Create and Secure a User with useradd and passwd

In this step, you will learn how to create a new user account using the useradd command and then secure it by setting a password with the passwd command. These are fundamental administrative tasks for managing a Linux system.

First, let's create a new user named student1. The useradd command requires root privileges to create users, so you'll need to prepend the command with sudo.

Execute the following command in your terminal:

sudo useradd -m student1

The -m option is important; it tells useradd to create the user's home directory, which will be /home/student1 by default. If you don't use -m, the user will be created, but they won't have a personal home directory to store their files.

After running the command, the system creates entries for the new user in several critical system files. You can verify this by using the grep command to search for lines starting with student1 in the /etc/passwd, /etc/shadow, and /etc/group files. Since /etc/shadow requires root privileges to read, you need to use sudo:

sudo grep ^student1 /etc/passwd /etc/shadow /etc/group

Your output should look similar to this. The User ID (UID) and Group ID (GID) numbers might vary, but the structure will be the same:

/etc/passwd:student1:x:5001:5001::/home/student1:/bin/sh
/etc/shadow:student1:!:20265:0:99999:7:::
/etc/group:student1:x:5001:

Let's break down this output:

• /etc/passwd: This file contains basic user account information. The x in the second field indicates that the encrypted password is not stored here, but in the /etc/shadow file for security.
• /etc/shadow: This file contains secure user account information. The second field will initially contain ! or *, indicating that no password has been set yet and the account cannot be used for login.
• /etc/group: A new group, also named student1, was automatically created to be the primary group for this user.

Now that the user exists, you need to set a password to make the account usable and secure. We'll use the passwd command for this. Like useradd, it requires sudo when changing another user's password.

sudo passwd student1

The system will prompt you to enter and then re-enter a new password for student1. For this lab, please use student1pass as the password. Note that for security reasons, your typing will not be displayed on the screen.

New password:
Retype new password:
passwd: password updated successfully

With the password set, let's check the /etc/shadow file again to see what has changed. Since /etc/shadow requires root privileges to read, you need to use sudo:

sudo grep ^student1 /etc/shadow

The output will now be different. The placeholder ... represents a long, unique string of characters.

student1:$y$j9T$lUM1RtLPQdrCOHmaFf1po/$xqNw.5dz54yR9whxsID9teI28/BOyvKocK5dA9X7GoD:20265:0:99999:7:::

Notice that the second field now contains a long, complex string. This is the hashed (encrypted) version of the password you just set. The account is now active and can be used for login.

Switch Users and Understand Environment Differences with su vs su -

In this step, you will explore how to switch to another user account within your current terminal session using the su (substitute user) command. You will also learn the critical difference between using su with and without the - (or --login) flag, which significantly affects the user environment.

First, let's examine your current environment as the labex user. Run these commands to see your current user, home directory, and working directory:

whoami
echo $HOME
pwd

You will see the following output, confirming you are the labex user in your project directory:

labex
/home/labex
/home/labex/project

Now, let's switch to the student1 user you created in the previous step. Use the su command followed by the username. You will be prompted for student1's password, which you set to student1pass.

su student1

After entering the password, your session is now operating with the identity of student1. However, the environment is not fully loaded. Let's run the same commands again to see what has changed and what hasn't.

whoami
echo $HOME
pwd

Notice the output:

student1
/home/student1
/home/labex/project

Here's what this tells us:

• whoami: You are now effectively student1.
• echo $HOME: The HOME environment variable now points to the new user's (student1) home directory.
• pwd: You are still in the same directory you were in before switching users (/home/labex/project).

This behavior can be problematic because scripts and applications might rely on the HOME variable to find configuration files, leading to unexpected behavior.

Now, type exit to return to your labex user shell.

exit

Next, let's try switching users again, but this time with the - flag. This flag tells su to start a login shell, which simulates a full login for the new user. This means it will load student1's complete environment, including their home directory and shell profile.

su - student1

Enter the password (student1pass) again. Now, run the same set of diagnostic commands:

whoami
echo $HOME
pwd

Compare the output to the previous attempt:

student1
/home/student1
/home/student1

The differences are significant:

• whoami: You are still student1.
• echo $HOME: The HOME variable points to /home/student1 (same as with su).
• pwd: Your current working directory has been changed to student1's home directory.

This demonstrates that su - <username> is the recommended way to switch users on the command line, as it provides a clean, predictable environment for the new user, preventing issues with incorrect paths and permissions.

To finish this step, type exit to return to your original labex session.

exit

Lock and Unlock User Accounts with passwd -l and passwd -u

In this step, you will learn how to temporarily disable a user account by locking it, and then re-enable it by unlocking it. This is a common administrative practice for situations where you need to prevent a user from logging in without deleting their account and files.

First, let's lock the student1 account. To do this, you use the passwd command with the -l (lock) option. This action requires administrative privileges, so you must use sudo.

sudo passwd -l student1

The command will confirm that the password has been locked. The output message may vary slightly but indicates success.

passwd: password for user student1 changed.

But what does "locking" actually do? Let's inspect the /etc/shadow file again to see the effect.

sudo grep ^student1 /etc/shadow

You will notice a subtle but important change. The encrypted password string is now prefixed with one or two exclamation marks (!). The placeholder ... represents the rest of your unique hash.

student1:!$y$j9T$...:20265:0:99999:7:::

This ! prefix invalidates the stored password hash, making it impossible for the system to match any password the user provides. As a result, the user cannot log in. Let's test this. Try to switch to the student1 user:

su - student1

You will be prompted for a password, but even if you enter the correct one (student1pass), the login will fail.

Password:
su: Authentication failure

This confirms the account is successfully locked. Now, let's unlock it. To re-enable the account, you simply reverse the process using the -u (unlock) option with the passwd command.

sudo passwd -u student1

Again, the command will confirm the change.

passwd: password for user student1 changed.

Let's check the /etc/shadow file one last time to verify that the account is unlocked.

sudo grep ^student1 /etc/shadow

The output shows that the ! prefix has been removed, restoring the original password hash.

student1:$y$j9T$...:20265:0:99999:7:::

The account is now active again. You can confirm this by successfully switching to the student1 user. Enter the password student1pass when prompted.

su - student1

You should now be logged in as student1. Finally, type exit to return to your labex session.

exit

Modify User Password Aging and Group Membership with chage and usermod

In this step, you will manage more advanced user properties. You'll learn how to enforce password security policies using chage to control password expiration, and how to manage a user's group memberships using usermod to control their permissions and access rights.

First, let's examine the password aging information for the student1 account. The chage (change age) command with the -l (list) flag displays these details.

sudo chage -l student1

The output will show the default settings for the account. The dates will correspond to when you created the user.

Last password change     : Dec 08, 2024
Password expires     : never
Password inactive     : never
Account expires      : never
Minimum number of days between password change  : 0
Maximum number of days between password change  : 99999
Number of days of warning before password expires : 7

For security, it's a good practice to require users to change their passwords periodically. Let's set a policy where the password must be changed every 90 days (-M 90), can only be changed once every 7 days (-m 7), and the user gets a warning 14 days before it expires (-W 14).

sudo chage -M 90 -m 7 -W 14 student1

Now, view the settings again to confirm your changes:

sudo chage -l student1

The output will reflect the new policy:

Last password change     : Dec 08, 2024
Password expires     : Mar 08, 2025
Password inactive     : never
Account expires      : never
Minimum number of days between password change  : 7
Maximum number of days between password change  : 90
Number of days of warning before password expires : 14

Next, let's modify group memberships. A user belongs to a primary group and can belong to multiple secondary (or supplementary) groups. You can view a user's groups with the id command.

id student1

uid=5001(student1) gid=5001(student1) groups=5001(student1)

This shows that student1's primary group is student1 (gid=5001) and they are not yet in any secondary groups.

Let's create a new group called developers and add student1 to it. First, create the group:

sudo groupadd developers

Now, add student1 to this new group using usermod. The -aG flags are crucial: -G specifies the secondary groups, and -a appends the user to the group without removing them from other groups.

sudo usermod -aG developers student1

Check the user's groups again:

id student1

The output now includes the developers group:

uid=5001(student1) gid=5001(student1) groups=5001(student1),1002(developers)

What happens if you forget the -a flag? Let's create another group, testers, and add student1 to it using only -G.

sudo groupadd testers
sudo usermod -G testers student1

Now check the groups one more time:

id student1

uid=5001(student1) gid=5001(student1) groups=5001(student1),1003(testers)

Notice that student1 is no longer in the developers group. Using usermod -G without -a replaces all existing secondary groups with the new list. To have the user in both groups, you must either list all groups (-G developers,testers) or use the append flag. Let's fix this by re-adding student1 to the developers group correctly.

sudo usermod -aG developers student1

Verify the final state. The user should now be a member of both groups.

id student1

uid=5001(student1) gid=5001(student1) groups=5001(student1),1003(testers),1002(developers)

Delete Users and Their Data with userdel and userdel -r

In this step, you will learn how to permanently remove user accounts from the system using the userdel command. You'll see the important distinction between simply deleting a user's account information and deleting the account along with all of its associated files, such as the home directory.

First, to demonstrate both methods of deletion, let's create a second user named student2.

sudo useradd -m student2

Now you have two users to work with: student1 (from previous steps) and the new student2.

Let's start by deleting the student1 user without any special options. The default userdel command removes the user's entries from system account files like /etc/passwd and /etc/shadow, but it does not remove their home directory. This can be useful if you need to archive the user's data before fully removing it.

sudo userdel student1

To confirm the user account is gone, try to grep for it in /etc/passwd.

grep ^student1 /etc/passwd

This command will produce no output, which confirms the user's account entry has been deleted. However, what about their home directory? Let's check if /home/student1 still exists.

ls -ld /home/student1

You will see that the directory is still there, though the owner is now displayed as a number (the user's old UID) because the system can no longer map that ID to a username.

drwxr-x--- 2 5001 5001 78 Jun 26 08:18 /home/student1

Now, let's delete the student2 user, but this time we'll use the -r (remove) flag. This option tells userdel to remove the user's home directory and mail spool in addition to their account entries. This is a complete and irreversible deletion.

sudo userdel -r student2

You may see a warning message about the mail spool not being found, which is normal since the user never received any mail:

userdel: student2 mail spool (/var/mail/student2) not found

This warning doesn't indicate an error - it simply means there was no mail spool file to delete, which is expected for a newly created user who hasn't received any mail.

First, verify that the account entry is gone from /etc/passwd. As before, this command should return no output.

grep ^student2 /etc/passwd

Next, and most importantly, check for the existence of the home directory /home/student2.

ls -ld /home/student2

This time, the command will fail with an error message, proving that the directory has been completely removed along with the user account.

ls: cannot access '/home/student2': No such file or directory

You have now successfully practiced both methods for deleting users, giving you the flexibility to either preserve or permanently erase a user's data as needed.

Summary

In this lab, you learned the fundamental commands for managing user accounts on a Linux system. You started by creating a new user with useradd -m, ensuring a home directory was also created, and then secured the account by setting a password with passwd. You practiced switching between users using both su and su -, learning the critical difference between a standard and a login shell environment. You also learned how to manage account access by locking and unlocking it with the passwd command's -l and -u options.

The lab continued with modifying existing user attributes. You used chage to manage password aging policies and usermod to alter a user's group memberships. Finally, you explored the process of removing users from the system, distinguishing between the userdel command, which removes the user account, and the userdel -r command, which also deletes the user's home directory and mail spool for a complete cleanup.