Table of Contents
Understanding the Scope of User Creation and Removal
This chapter focuses on how to create and remove user accounts on a Linux system using common administrative tools. Concepts like what a “user” is, how /etc/passwd works, and basic UID/GID meanings are assumed to be known from the parent chapter; here we focus on day‑to‑day commands and practical workflows.
We’ll cover:
- Interactive vs non-interactive user creation
- Important options for
useraddandadduser - Creating home directories and default files
- Setting and locking passwords
- Safely removing users with
userdel - Handling their home directories, mail, and processes
- Basic batch and scripted approaches
All commands dealing with system accounts normally require root privileges or sudo.
Tools for Managing Users
Most Linux systems provide two main command-line tools:
useradd/userdel: Low-level utilities, consistent across most distributions.adduser/deluser: Higher-level, more user-friendly front-ends (commonly on Debian/Ubuntu and derivatives).
Red Hat–based systems typically use useradd / userdel only. On Debian/Ubuntu, adduser is preferred for interactive usage, though useradd is also available.
When reading documentation, always check man useradd and man userdel for your exact system.
Creating Users with `useradd`
useradd is a non-interactive tool: you specify most details via options. If you run it with defaults, your system configuration files (e.g. /etc/login.defs, /etc/default/useradd) decide defaults like UID ranges, home directory base, and shell.
Basic pattern:
sudo useradd [options] usernameA Simple New User
To create a user with default settings (which may or may not create a home directory, depending on distro):
sudo useradd aliceOn many systems, this:
- Assigns the next free UID from the configured range
- Creates a private group
alice(on systems using “user private groups”) - Sets the login shell to a default (often
/bin/bashor/bin/sh) - May or may not create
/home/alicedepending on distribution defaults
To ensure a home directory is created:
sudo useradd -m alice
The -m (--create-home) option:
- Creates the directory
/home/alice(unless overridden by-d) - Populates it with default skeleton files from
/etc/skel(if configured)
Important `useradd` Options You Actually Use
Home Directory: `-m` and `-d`
-m: Create the home directory if it doesn’t exist.-d /path/to/home: Set a custom home directory path.
Example: create a user with a custom home:
sudo useradd -m -d /srv/webadmin webadminDefault Shell: `-s`
Set the login shell directly:
sudo useradd -m -s /bin/bash alice
sudo useradd -m -s /usr/sbin/nologin backupuserCommon patterns:
/bin/bash: interactive shell./bin/sh: minimal shell./usr/sbin/nologinor/sbin/nologin: disallow interactive login (common for service accounts).
Primary Group: `-g` and Additional Groups: `-G`
-g group: Set the primary group.-G group1,group2,...: Set supplementary groups.
You can create a user in a pre-existing group:
sudo useradd -m -g developers -G docker,git alice
If the primary group does not exist, useradd will fail unless your system is configured to auto-create user private groups (as a separate step).
User ID (UID): `-u`
Typically you don’t specify the UID manually unless you’re:
- Matching UIDs across multiple servers
- Creating special system or shared accounts
To specify a UID:
sudo useradd -m -u 1500 alice
The UID must be unique unless you use -o to allow duplicates (generally a bad idea for regular users).
Comment / Full Name: `-c`
The “comment” field (also called GECOS) often stores a user’s full name:
sudo useradd -m -c "Alice Example" alice
This information appears in /etc/passwd and tools like finger.
System Accounts: `-r`
System accounts are typically:
- Used by services/daemons
- Often have no valid login shell
- Often have no home directory (or a service-specific one)
Example:
sudo useradd -r -s /usr/sbin/nologin -M backupCommon flags for system users:
-r: system account-M: do not create a home directory-s /usr/sbin/nologin: disable interactive shell
Expiration Dates: `-e` and Inactive Period: `-f`
You can create accounts that expire automatically:
-e YYYY-MM-DD: set account expiration date.-f days: number of days after password expiration until the account is disabled (-1= never).
Example: temporary intern account:
sudo useradd -m -c "Intern - Bob" -e 2025-02-01 internbobExamples of Common User Creation Scenarios
Standard Human User
sudo useradd -m -s /bin/bash -c "Alice Example" alice
sudo passwd aliceUser with Specific Groups
sudo useradd -m -s /bin/bash -c "Dev Alice" \
-g developers -G docker,git alice
sudo passwd aliceService Account (No Login)
sudo useradd -r -s /usr/sbin/nologin -M webappThis account exists only for ownership and separation of privileges.
Creating Users with `adduser` (Debian/Ubuntu)
On Debian and derivatives, adduser is the recommended interactive tool. It is a Perl script that wraps useradd (or similar) and guides you through the process.
Basic call:
sudo adduser aliceIt will:
- Ask for a password and confirm it
- Ask for details (Full Name, Room Number, Work Phone, etc.)
- Create a home directory with files copied from
/etc/skel - Set shell, groups, and defaults based on configuration in
/etc/adduser.conf
For most interactive usage on Debian/Ubuntu systems, adduser is simpler and safer than memorizing many useradd options.
You can still pass extra options:
sudo adduser --shell /bin/bash --ingroup developers aliceSetting and Managing User Passwords
Creating the account does not always configure a usable password; some distributions leave accounts in a locked state until you set one.
Setting a Password for a New User
Use passwd:
sudo passwd aliceYou’ll be prompted to enter the new password twice.
Creating a User Without a Password
You may want a user that authenticates some other way (e.g. SSH keys, service account). Two common patterns:
- Create the user and do not run
passwdat all (may be locked by default). - Explicitly lock or disable password login:
sudo useradd -m -s /bin/bash alice
sudo passwd -l alice # lock passwordA locked password means you cannot log in with a password, but other mechanisms (like SSH key auth) can still work if configured.
Removing Users with `userdel`
userdel removes user accounts at a low level.
Basic usage:
sudo userdel usernameBy default, this:
- Removes the entry from
/etc/passwdand/etc/shadow - Does not remove the home directory
- Does not remove the user’s mail spool
- Does not remove their files elsewhere on the filesystem
Removing a User and Their Home Directory: `-r`
To also remove the user’s home directory and mail spool:
sudo userdel -r aliceThis will:
- Delete
/home/alice(or the custom home path recorded for the user) - Delete
/var/mail/aliceor equivalent (if present)
Use this carefully: data in the user’s home will be permanently removed.
Handling Running Processes
userdel fails if the user has running processes. Before deletion:
- Check if the user is logged in or running services:
ps -u alice- Stop or kill their processes if appropriate:
sudo pkill -u alice
After ensuring no processes remain, re-run userdel.
Files Owned by the User Outside Their Home
userdel -r only removes the user’s home and mail spool, not other files they might own in places like /srv, /var, or shared directories.
To find and optionally reassign or remove such files:
- Identify the user’s UID before deletion (e.g.
id alice). - After deletion, search for files with that UID:
sudo find / -uid 1501 -ls- Decide whether to:
- Reassign ownership to another user:
sudo chown -R newowner:newgroup /path/to/files- Or archive/remove them as part of your offboarding process.
Removing Users with `deluser` (Debian/Ubuntu)
On Debian/Ubuntu, deluser is a higher-level tool with helpful options.
Basic removal:
sudo deluser aliceTo remove the user and their home directory:
sudo deluser --remove-home aliceTo also remove their owned files in other locations according to configuration:
sudo deluser --remove-all-files alice
deluser behavior is configurable via /etc/deluser.conf, allowing you to define policies like:
- Whether to back up home directories before removal
- Where to store backups
- How to handle files outside the home directory
Locking and Disabling Accounts vs Removing Them
Sometimes you don’t want to delete the account (which affects file ownership and logs) but simply prevent login.
Locking an Account
Locking the password:
sudo passwd -l aliceUnlocking:
sudo passwd -u aliceYou can also expire the account:
sudo usermod -e 2025-01-01 aliceFrom that date on, the user cannot log in (depending on your authentication configuration).
When to Lock vs Delete
Typical patterns:
- Temporary leave or suspension: lock account, maybe set an expiry.
- Former employee but need audit trail: lock account, keep UID and files.
- User left, no need for their data: archive important data, then
userdel -r.
Your organization’s policies should define the correct approach.
Batch and Scripted User Creation
On larger systems, you rarely add users one-by-one manually; instead you:
- Use configuration management (e.g. Ansible, Puppet, etc.).
- Or run shell scripts that call
useradd.
Creating Multiple Users from a File
Example: You have a file new_users.txt:
alice:Alice Example:/bin/bash
bob:Bob Person:/bin/bashSimple shell script:
#!/bin/sh
while IFS=: read -r username fullname shell; do
sudo useradd -m -c "$fullname" -s "$shell" "$username"
# Optionally set an initial password or lock account
# echo "$username:TempPass123" | sudo chpasswd
done < new_users.txtThis is a minimal example; in practice, you’d add error checking, logging, and integration with your organization’s policies.
Safe Practices for Creating and Removing Users
- Always verify user details before creation: typo’d usernames or wrong home paths are hard to clean up.
- Check existing users: ensure the username and UID are not already in use.
- Be cautious with
userdel -r: double-check that the home directory does not contain unarchived data. - Stop user processes before deletion: avoid partial deletions or errors.
- Document changes: especially in production systems—note when and why users were created/removed.
- Follow organizational policy: especially around data retention, backups, and offboarding.
These practices help keep your system manageable, consistent, and compliant with any audit or security requirements.