Create, Delete, and Modify
Local User Accounts

Create, delete, and modify local user accounts

CIS126RH | RHEL System Administration 1
Mesa Community College

User account management is one of the core responsibilities of a Linux system administrator. Every person and service on a RHEL system operates as a user account — with a unique UID, a home directory, a login shell, and group memberships that determine what that account can access. The commands useradd, usermod, userdel, and passwd form the complete toolkit for managing local accounts. All are tested on the RHCSA exam.

Learning Objectives

Explain the Linux user account model — Describe UIDs, the /etc/passwd and /etc/shadow files, and how local accounts are stored on the system
Create user accounts with useradd — Use useradd with flags to specify UID, home directory, shell, comment, and group membership at creation time
Modify existing accounts with usermod — Use usermod to change username, UID, shell, home directory, group membership, and account lock status
Delete accounts and manage passwords — Use userdel to remove accounts and passwd to set, expire, lock, and unlock passwords

The Linux User Account Model

Every Linux user is identified internally by a UID (User IDentifier) — an integer that the kernel uses for all access control.

# /etc/passwd — one line per user (no passwords stored here)
# username:x:UID:GID:comment:home_dir:shell
root:x:0:0:root:/root:/bin/bash
alice:x:1001:1001:Alice Smith:/home/alice:/bin/bash
bob:x:1002:1002:Bob Jones:/home/bob:/bin/bash
nologin_svc:x:999:999:Service Account:/:/sbin/nologin

# /etc/shadow — encrypted passwords (root readable only)
# username:hashed_pw:last_change:min:max:warn:inactive:expire
$ sudo grep alice /etc/shadow
alice:$6$rounds=5000$salt$hashedpassword...:19500:0:99999:7:::

UID range	Account type
`0`	root — the superuser; unrestricted access to everything
`1–999`	System accounts — created by packages for services (apache, sshd, ntp)
`1000+`	Regular user accounts — created by administrators for people

Creating Users: useradd

useradd creates a new user account and optionally its home directory, primary group, and skeleton files.

# Create a user with all defaults
$ sudo useradd alice
# Creates: /home/alice, primary group alice, UID auto-assigned

# Create with a specific UID
$ sudo useradd -u 1500 alice

# Create with a comment (full name)
$ sudo useradd -c "Alice Smith" alice

# Create with a specific home directory
$ sudo useradd -d /opt/alice alice

# Create with a specific shell
$ sudo useradd -s /bin/zsh alice

# Create with all common options in one command
$ sudo useradd -u 1500 -c "Alice Smith" -d /home/alice \
    -s /bin/bash -G developers,wheel alice

# Verify the user was created
$ id alice
uid=1500(alice) gid=1500(alice) groups=1500(alice),10(wheel),1600(developers)

useradd Flags Reference

Flag	Long form	Purpose	Example
`-u`	`--uid`	Specify the UID	`-u 1500`
`-g`	`--gid`	Specify primary group (name or GID)	`-g staff`
`-G`	`--groups`	Supplementary groups (comma-separated)	`-G wheel,developers`
`-c`	`--comment`	GECOS comment field (usually full name)	`-c "Alice Smith"`
`-d`	`--home-dir`	Home directory path	`-d /opt/alice`
`-m`	`--create-home`	Create the home directory (default on RHEL)	`-m`
`-M`	`--no-create-home`	Do NOT create a home directory	`-M`
`-s`	`--shell`	Login shell	`-s /bin/bash`
`-r`	`--system`	Create a system account (UID < 1000, no home)	`-r`
`-e`	`--expiredate`	Account expiry date (YYYY-MM-DD)	`-e 2026-12-31`
`-p`	`--password`	Encrypted password (use passwd instead)	(avoid — use passwd)

Set password with passwd after useradd

A newly created user has a locked password by default. Always run sudo passwd USERNAME immediately after useradd to set a password and unlock the account for login.

Setting and Managing Passwords: passwd

# Set a password for a user (prompts interactively)
$ sudo passwd alice
Changing password for user alice.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# Set a password non-interactively (for scripts)
$ echo "alice:secretpassword" | sudo chpasswd

# Lock an account (prepends ! to password hash)
$ sudo passwd -l alice
Locking password for user alice.
passwd: Success

# Unlock an account
$ sudo passwd -u alice

# Force a user to change their password on next login
$ sudo passwd -e alice

# Check the status of a user's password
$ sudo passwd -S alice
alice PS 2026-05-25 0 99999 7 -1 (Password set, SHA512 crypt.)
# PS = Password Set, LK = Locked, NP = No Password

Modifying Users: usermod

usermod changes attributes of an existing user account. It uses the same flags as useradd plus a few extras.

# Change a user's login shell
$ sudo usermod -s /bin/zsh alice

# Change a user's comment (full name)
$ sudo usermod -c "Alice M. Smith" alice

# Add a user to a supplementary group (PRESERVES existing groups)
$ sudo usermod -aG wheel alice

# SET supplementary groups (REPLACES existing groups)
$ sudo usermod -G wheel,developers alice

# Change the user's home directory (and move contents)
$ sudo usermod -d /opt/alice -m alice

# Lock the account
$ sudo usermod -L alice

# Unlock the account
$ sudo usermod -U alice

# Rename a user (username changes; UID stays the same)
$ sudo usermod -l alicesmith alice

-aG preserves groups; -G replaces them

usermod -aG wheel alice adds alice to wheel while keeping all existing supplementary groups. usermod -G wheel alice (without -a) replaces all supplementary groups with just wheel — removing alice from any other groups she was in.

Deleting Users: userdel

userdel removes a user account from the system. By default the home directory and mail spool are preserved.

# Delete a user — keeps home directory at /home/alice
$ sudo userdel alice

# Delete a user AND their home directory and mail spool
$ sudo userdel -r alice
Removing user 'alice'.

# Verify the user is gone
$ id alice
id: 'alice': no such user

$ grep alice /etc/passwd
# No output — user removed

# Find files owned by a deleted UID (orphaned files)
$ sudo find / -nouser -ls 2>/dev/null

# userdel fails if user is currently logged in
$ sudo userdel alice
userdel: user alice is currently used by process 12345
# Kill the session first: sudo pkill -u alice

Verifying User Accounts

# Show UID, GID, and group memberships for a user
$ id alice
uid=1001(alice) gid=1001(alice) groups=1001(alice),10(wheel),1600(developers)

# Show the /etc/passwd entry for a user
$ grep ^alice: /etc/passwd
alice:x:1001:1001:Alice Smith:/home/alice:/bin/bash

# Show shadow entry (password status)
$ sudo grep ^alice: /etc/shadow
alice:$6$...:19500:0:99999:7:::

# Use getent to query the user database (works with LDAP too)
$ getent passwd alice
alice:x:1001:1001:Alice Smith:/home/alice:/bin/bash

# List all users on the system
$ getent passwd | cut -d: -f1

# Check home directory existence
$ ls -la /home/alice

# Show which groups a user belongs to
$ groups alice
alice : alice wheel developers

Password Aging: chage

chage (change age) manages password expiry and aging policies for individual accounts.

# Show current password aging information
$ sudo chage -l alice
Last password change                    : May 25, 2026
Password expires                        : never
Password inactive                       : never
Account expires                         : never
Minimum number of days between changes  : 0
Maximum number of days between changes  : 99999
Number of days of warning before expiry : 7

# Set maximum password age to 90 days
$ sudo chage -M 90 alice

# Set minimum days between changes to 7
$ sudo chage -m 7 alice

# Set account expiry date
$ sudo chage -E 2026-12-31 alice

# Expire password immediately (force change on next login)
$ sudo chage -d 0 alice

# Interactive mode — prompts for all values
$ sudo chage alice

/etc/skel: Default User Files

When useradd creates a home directory, it copies the contents of /etc/skel/ into the new home directory.

# View the skeleton directory contents
$ ls -la /etc/skel/
total 24
drwxr-xr-x.  2 root root   62 Sep 10 2023 .
drwxr-xr-x. 78 root root 8192 May 25 10:00 ..
-rw-r--r--.  1 root root   18 Mar 14 2023 .bash_logout
-rw-r--r--.  1 root root  141 Mar 14 2023 .bash_profile
-rw-r--r--.  1 root root  492 Mar 14 2023 .bashrc

# Add a custom file to be included in all new home directories
$ sudo cp /tmp/company_welcome.txt /etc/skel/
# All users created after this point will have company_welcome.txt

# /etc/login.defs — system-wide defaults for new accounts
$ grep -E "UID_MIN|UID_MAX|GID_MIN|GID_MAX|CREATE_HOME" /etc/login.defs
UID_MIN      1000
UID_MAX     60000
GID_MIN      1000
GID_MAX     60000
CREATE_HOME   yes

/etc/login.defs controls default account parameters

UID_MIN and UID_MAX define the range of UIDs assigned automatically by useradd. CREATE_HOME yes means homes are created by default. These values apply when no explicit flags override them.

Service Accounts: System Users

Applications and services run as dedicated system accounts — low-privilege users that own the service's files but cannot log in interactively.

# Create a system account for a service
$ sudo useradd -r -s /sbin/nologin -c "App Service Account" appservice
# -r = system account (UID < 1000, no home by default)
# -s /sbin/nologin = prevents interactive login

# Verify the system account
$ id appservice
uid=987(appservice) gid=987(appservice) groups=987(appservice)

# View system accounts in /etc/passwd
$ grep nologin /etc/passwd
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin

# /sbin/nologin displays a message and prevents login
# /bin/false exits immediately (no message)
# Both prevent interactive access

/etc/passwd and /etc/shadow Fields

Field #	/etc/passwd field	Example
1	Username	`alice`
2	Password placeholder (`x`)	`x`
3	UID	`1001`
4	Primary GID	`1001`
5	GECOS comment (full name, etc.)	`Alice Smith`
6	Home directory	`/home/alice`
7	Login shell	`/bin/bash`

Field #	/etc/shadow field	Example
1	Username	`alice`
2	Hashed password (`!` or `!!` = locked)	`$6$salt$hash`
3	Days since epoch of last change	`19500`
4	Minimum days between changes	`0`
5	Maximum password age (days)	`99999`
6	Warning days before expiry	`7`
7	Days after expiry before account disabled	`-1`
8	Account expiry date (days since epoch)	`(empty)`

User Management Quick Reference

Task	Command
Create a user with defaults	`sudo useradd USERNAME`
Create with UID, comment, shell	`sudo useradd -u UID -c "Full Name" -s /bin/bash USERNAME`
Create and add to groups	`sudo useradd -G group1,group2 USERNAME`
Set user password	`sudo passwd USERNAME`
Lock a user account	`sudo passwd -l USERNAME` or `sudo usermod -L USERNAME`
Unlock a user account	`sudo passwd -u USERNAME` or `sudo usermod -U USERNAME`
Force password change on next login	`sudo passwd -e USERNAME` or `sudo chage -d 0 USERNAME`
Add user to supplementary group	`sudo usermod -aG GROUPNAME USERNAME`
Change user's shell	`sudo usermod -s /bin/zsh USERNAME`
Change user's comment	`sudo usermod -c "New Name" USERNAME`
View user details	`id USERNAME`
View password aging	`sudo chage -l USERNAME`
Delete user (keep home)	`sudo userdel USERNAME`
Delete user and home directory	`sudo userdel -r USERNAME`

Common Mistakes

Mistake	What goes wrong	Correct approach
Using `usermod -G` without `-a`	All existing supplementary groups are removed; user loses wheel and other memberships	Always use `usermod -aG GROUPNAME USERNAME` to add without removing others
Forgetting to set a password after useradd	Account is created but locked — user cannot log in	Always run `sudo passwd USERNAME` immediately after creating an account
Deleting a user without `-r` when the home directory should be removed	Orphaned home directory remains on disk owned by the deleted UID	Use `userdel -r USERNAME` when the account and its files should be fully removed
Confusing `-g` (primary group) with `-G` (supplementary groups)	User's primary group is changed instead of adding a supplementary group	Use `-g GROUPNAME` for primary group; `-aG GROUPNAME` for supplementary
Specifying a non-existent group with `-G`	useradd or usermod fails: "group does not exist"	Create the group first with `groupadd GROUPNAME` before using it in useradd/usermod
Trying to delete a user who is currently logged in	userdel fails: "user is currently used by process"	Run `sudo pkill -u USERNAME` to kill the user's processes, then retry userdel

Complete User Creation Workflow

The exam scenario: create user alice with UID 1500, full name "Alice Smith", bash shell, and membership in the developers group.

# Step 1: Check if the target group exists
$ getent group developers
developers:x:1600:bob   # group exists

# Step 2: Create the user with all required properties
$ sudo useradd -u 1500 -c "Alice Smith" \
    -s /bin/bash -G developers alice

# Step 3: Set the password
$ sudo passwd alice
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# Step 4: Verify everything
$ id alice
uid=1500(alice) gid=1500(alice) groups=1500(alice),1600(developers)

$ grep ^alice: /etc/passwd
alice:x:1500:1500:Alice Smith:/home/alice:/bin/bash

$ ls /home/alice   # home directory was created

Knowledge Check

Answer these before moving to the next slide.

Write the useradd command to create user bob with UID 2000, comment "Bob Jones", home directory /home/bob, and shell /bin/bash.
After creating bob's account, what command must be run before bob can log in? What is the effect of not running it?
Write the command to add bob to the wheel group without removing him from any other groups he currently belongs to.
What is the difference between usermod -G wheel bob and usermod -aG wheel bob?
Write the command to lock bob's account so he cannot log in, and the command to unlock it again. What indicator in /etc/shadow shows the account is locked?
Write the command to delete user bob AND remove his home directory and mail spool completely.

Knowledge Check — Answers

sudo useradd -u 2000 -c "Bob Jones" -d /home/bob -s /bin/bash bob
The -d /home/bob flag is technically optional since it matches the default, but specifying it explicitly demonstrates understanding.
sudo passwd bob — this sets bob's password and enables login. Without setting a password, the account is created with a locked password (!! in /etc/shadow) and bob cannot log in with a password.
sudo usermod -aG wheel bob — the -a (append) flag ensures bob's existing supplementary groups are preserved while wheel is added.
usermod -G wheel bob replaces bob's entire supplementary group list with just wheel — he is removed from any other groups he was in. usermod -aG wheel bob appends wheel to his existing groups — all current memberships are preserved.
Lock: sudo passwd -l bob or sudo usermod -L bob.
Unlock: sudo passwd -u bob or sudo usermod -U bob.
A locked account has a ! prepended to the password hash in /etc/shadow — e.g. bob:!$6$hash...
sudo userdel -r bob — the -r flag removes the home directory (/home/bob) and the mail spool (/var/spool/mail/bob) along with the account entries in /etc/passwd, /etc/shadow, and /etc/group.

Key Takeaways

Create with useradd then immediately set password with passwd. Key flags: -u (UID), -c (comment), -s (shell), -G (supplementary groups), -d (home dir). A new account without a password is locked — the user cannot log in.
Use usermod -aG GROUP USER to add to a group. The -a (append) flag is mandatory — without it, -G replaces all supplementary groups instead of adding one. Verify with id USERNAME.
Lock with passwd -l or usermod -L; unlock with -u or -U. Locking prepends ! to the password hash in /etc/shadow. Use chage for password aging policy (max age, expiry date, force change).
Delete with userdel -r to remove home directory too. Without -r, the home directory remains as orphaned files. Find orphaned files with find / -nouser. userdel fails if the user is currently logged in — kill their session first.

Graded Lab

Create user labuser1 with UID 2001, full name "Lab User One", home directory /home/labuser1, and shell /bin/bash. Set a password immediately. Verify with id labuser1 and grep labuser1 /etc/passwd.
Create user labuser2 with UID 2002, adding them to the wheel group at creation time with -G wheel. Set a password. Confirm with id labuser2 that the wheel group appears in the output.
Add labuser1 to the wheel group using usermod -aG wheel labuser1. Verify. Then attempt usermod -G developers labuser1 (if developers exists) and observe what happens to the wheel membership to experience the -a omission.
Lock labuser2 with passwd -l labuser2. Confirm the lock appears in /etc/shadow (the ! character). Unlock it and confirm the ! is removed. Use chage -l labuser2 to view aging info.
Delete labuser1 without the -r flag. Confirm the user is gone from /etc/passwd but the home directory remains. Find the orphaned directory with find /home -nouser. Remove it manually with rm -rf.
Delete labuser2 with userdel -r. Confirm both the account and home directory are completely removed. Run find /home -nouser to confirm no orphans remain.

RHCSA Objective

"Create, delete, and modify local user accounts." Know useradd -u -c -s -G, always follow with passwd, use usermod -aG (not -G), and verify with id.

Next: Getting Help from Local Documentation

Create, Delete, and ModifyLocal User Accounts