User Account Management

Understanding User Account Management in Linux

Linux system administrators face a lot of challenges, and one of the ongoing ones is dealing with user accounts. Onboarding, offboarding, managing passwords, disabling accounts, enabling accounts, preserving home directory contents, and fixing permissions are tasks that must be done but are also tedious to perform. This article provides you with a quick solution to managing user accounts on local systems. Sure, there’s Active Directory, LDAP, and NIS+, but what if you’re like many of us who don’t use those? You have to rely on native methods to handle the job.

Believe it or not, you only need a few commands to handle the bulk of your user management tasks. For example, you use the passwd command to set and change passwords, but it’s also used to check the status of a user account, expire a password, set password minimum and maximum lifetimes, disable a user account, and enable a user account.

Creating user accounts

The useradd command is your command-line friend for creating user accounts. A quick man useradd gives you all of the options you could ever want. I typically only use one option, which is -c (comment), to enter the user’s full name. You can optionally set the password and other parameters as well, but I don’t because every account is different. I create the account, set the password, set any other options, and then contact the user to inform them that their account is ready.

The syntax is simple:

useradd -c "User's Full Name" account_name

passwd account_name

That’s all there is to creating a new user account and assigning a password to it. Check out some passwd command magic in the next section.

Discovering the versatile passwd command

As stated previously, the passwd command does more than simply change passwords. It is one of the more versatile Linux commands available. Here are a handful of useful examples of what passwd can do for user management.

To check the status of a user account, use this format.

passwd -S account_name

passwd -S account_name

Example:

The PS means that the password for user msmith is set, but you can also see that from the message displayed. Older versions of passwd didn’t use the same symbols. For example, the letter P was used by itself for password set. The date shown is the last time the password was changed, or when it was set.

You can see that the password now has the last changed time of 1969-12-31. If you know any Linux or UNIX history, you’ll recognize that the beginning of the computing world was 1970-01-01, so setting the last changed time to outside of the epoch time expires the password.

Creating a new user account without changing the account password results in the following password status:

passwd -S account_name

Example:

The LK designation means that the account is locked, as the message shows. Again, prior to this latest version of the passwd command, that message didn’t exist. In fact, if you use man passwd, you’ll also see the old designations: L, NP, and P.

To expire a password:

passwd -e account_name

Example:

Once a password has expired, either by policy or by manually expiring it, you can’t unexpire it. The system will prompt the user to change passwords upon their next login.

You also can’t unlock an account that has no password set. If you create a new user account and don’t set the password, the account is locked. To unlock it, you have to set a password.

You can lock a user’s account by using the passwd command’s -l option:

passwd -S account_name

To unlock the account, use the passwd command’s -u option:

passwd -u account_name

Use the following flags to set minimum password lifetime (-n), maximum password lifetime (-x), warning before expiration (-w), and inactive to disabled (-i) in days for each. The order of the options doesn’t matter:

passwd -n 1 -x 90 -w 3 -i 10 account_name

It’s good to set the -n to at least one day because this prevents a user from repetitively changing their passwords.

I hope you have a new appreciation for the passwd command. If you’ve only ever used it to change passwords, you’ve missed out on a lot of functionality and power.

Removing user accounts

Removing user accounts is a bit of a touchy subject. The reason that it’s a touchy subject is that removing a user account is permanent. Once removed, it’s gone. Generally, the policy in enterprises is to disable the account for a period of time, copy the user’s home directory to a secure location for archiving, and then after the wait time, remove the account.

When I remove a user account from a system, all traces are gone. The account is removed from /etc/passwd and the home directory is also removed. To make this sweeping change, I use the userdel command with the -r option in the format:

userdel -r account_name

Example:

In typical UNIX and Linux fashion, there’s no dialog to tell you that the account and all traces of the user are now expunged from the system. After the userdel command completes, you’re dropped back to a prompt.

Wrapping up

User account management is but one of the many joys of being a system administrator. It can consume quite a bit of time in busier enterprises. However, in smaller environments, you might soon forget all of the passwd command options and decide to remove accounts manually.

I advise that you keep this article bookmarked and that you do not attempt to remove accounts manually. Chances are good that you’ll forget something along the way. There’s also a chance that you’ll fat-finger a command or two and remove more than you planned on removing. The passwd file and its corresponding /etc/shadow file are too important to leave editing them to chance, no matter how confident you are with your keyboard efficiency.

More Knowledge

If you are new here, start with RHCSA & RHCE Training.
If you are comfortable with Red Hat Linux, start with Openshift, Openstack or Ansible Training.
You can also download Red Hat Enterprise Linux 8 from here.