How to Add and Delete Users on Ubuntu
In multi-user environments like Ubuntu Linux, effective user management isn’t just a technical task—it’s a cornerstone of system security and operational efficiency. Whether you’re administering a corporate server, a development workstation, or a personal machine, controlling who has access and what they can do ensures resources are allocated appropriately and sensitive data remains protected.
Consider a scenario where a disgruntled employee retains access to critical systems after leaving an organization. Without proper user management protocols, this oversight could lead to data breaches, service disruptions, or compliance violations.
Conversely, a well-maintained system minimizes attack surfaces, streamlines collaboration, and simplifies auditing. This guide dives deep into Ubuntu’s user management tools, offering step-by-step instructions, advanced customization techniques, and security best practices to help you maintain a secure and organized environment.
And if you’re looking for a reliable, high-performance, and budget-friendly solution for your workflows, Hostman has you covered with Linux VPS Hosting options, including Debian VPS, Ubuntu VPS, and VPS CentOS.
Creating User Accounts Copy link
Ubuntu provides multiple tools for user creation, each catering to different administrative needs. Below, we explore both beginner-friendly and advanced methods.
Simplified Setup with adduser Copy link
The adduser command is ideal for administrators who prefer an interactive, guided setup. It automates key steps like home directory creation and password assignment, reducing the risk of errors.
sudo adduser john_doe After executing this command, Ubuntu will prompt you to:
- Set a strong password: Enter it twice to confirm.
- Add optional user details: Full name, phone number, or room number (useful for organizational tracking).
- Verify inputs: Confirm "Y" to finalize the account.
What Happens Behind the Scenes?
- A home directory (
/john_doe/) is created with default configuration files (e.g.,.bashrc,.profile) copied from/etc/skel. - A primary group named
john_doeis generated, and the user is added to it. - Account metadata is stored in
/etc/passwd, while encrypted passwords are saved to/etc/shadow.
When to Use adduser:
- Quick setup for standard users.
- Environments where consistency in home directory structure is critical.
Advanced Configuration with useradd Copy link
For precise control, useradd allows administrators to define parameters explicitly. This method is favored in scripting or automated workflows.
sudo useradd -m -d /opt/auditors/john_doe -s /bin/zsh -G auditors,security john_doe Let’s break down the above command:
- -m: Creates the user’s home directory.
- -d: Specifies a custom home directory path (e.g.,
/opt/auditors/john_doe). - -s: Sets the default shell (Zsh in this case; replace with
/bin/fishfor Fish shell). - -G: Adds the user to secondary groups (
auditorsandsecurity).
However, unlike adduser, useradd doesn’t set a password. Use passwd afterward:
sudo passwd john_doeWhen to Use useradd:
- Bulk user creation via scripts.
- Non-standard home directory locations (e.g., network-mounted storage).
- Integration with configuration management tools like Ansible.
Verifying and Troubleshooting New Accounts Copy link
After creating an account, you can confirm its configuration:
First, you can check User ID (UID) and group memberships:
id john_doeOutput:
uid=1002(john_doe) gid=1002(john_doe) groups=1002(john_doe),1003(auditors),1004(security)Next, you can inspect home directory permissions:
ls -ld /home/john_doeEnsure ownership is assigned correctly:
drwxr-xr-x 2 john_doe john_doe 4096 Jul 10 10:00 /home/john_doeCommon Pitfalls:
- Missing Home Directory: Omit
-minuseradd? Runsudo mkhomedir_helper john_doeto create it retroactively. - Incorrect Shell: Edit
/etc/passwdmanually or useusermod -s /bin/bash john_doe.
Tailoring Permissions with Groups Copy link
Groups are the backbone of Linux permission management, enabling administrators to control access to files, directories, and applications
Linux Group Hierarchy Copy link
- Primary Group: Assigned at user creation; owns files created by the user.
- Secondary Groups: Grant additional privileges (e.g., sudo for admin rights, docker for container management).
Example: Restricting Access to a Web Directory
sudo groupadd webdev
sudo chown -R :webdev /var/www/html
sudo chmod -R 2775 /var/www/html # Setgid ensures new files inherit group ownershipAdd users to the webdev group:
sudo usermod -aG webdev john_doeGranting Administrative Privileges Copy link
Members of the sudo group gain root access via the sudo command.
Let’s add a user to the sudo group:
sudo usermod -aG sudo john_doeWe can test the sudo access using:
sudo -l -U john_doeThe above command lists all the allowed commands for the john_doe user.
For a more precise control, you can edit /etc/sudoers with visudo:
sudo visudoThen add lines like:
john_doe ALL=(ALL) NOPASSWD: /usr/bin/apt update
john_doe ALL=(ALL) /usr/bin/systemctl restart apache2In the above:
NOPASSWDallows running specific commands without a password.- The second rule requires
john_doeto use a password to restart Apache withsudoprivilege.
Password Policies and Account Security Copy link
Weak passwords and stale accounts are prime targets for attackers. Ubuntu offers tools to enforce robust security practices.
Enforcing Strong Passwords Copy link
Install password quality library:
sudo apt install libpam-pwquality Then, edit /etc/security/pwquality.conf to set:
minlen = 12
dcredit = -1 # Require at least one digit
ucredit = -1 # Require at least one uppercase letter
enforce_for_root # Apply policies to rootNext, set password expiration:
sudo chage -M 90 -W 14 john_doeHere, the password expires every 90 days and warns 14 days before the expiration date.
Locking and Unlocking Accounts Copy link
You can temporarily lock user accounts using:
sudo passwd -l john_doeThe above command prevents login but retains files. To unlock the user account, use the below command:
sudo passwd -u john_doeAdditionally, you can set account expiration using the below command:
sudo usermod -e 2024-12-31 john_doeThis can come quite handy when working with a contractor.
Monitoring and Auditing Copy link
To view login history, use the command:
last john_doeFurthermore, you can check active sessions using:
who | grep john_doeNext, you can audit sudo commands using:
sudo grep 'john_doe' /var/log/auth.logRemoving User Accounts Safely Copy link
Improper deletion can lead to orphaned files or broken dependencies. Follow the below steps to remove users neatly:
Preserving Data with deluser Copy link
sudo deluser john_doeThe above command removes the user but retains /home/john_doe. You can archive the home directory to backup storage.
2. Complete Account Removal Copy link
To remove an account completely, use the below command:
sudo deluser --remove-home john_doeHowever, you must take caution, as the command irreversibly deletes all user files.
For service accounts (e.g., mysql), use --remove-all-files to delete configuration files:
sudo deluser --remove-all-files mysqlAdvanced Cleanup with userdel Copy link
On non-Debian systems, use:
sudo userdel -r john_doeThe above command deletes user and home directory.
To detect orphaned files, use:
sudo find / -uid 1002Replace 1002 with the user’s UID.
Best Practices for System Integrity Copy link
Here are some best practices to keep in mind when deleting files:
- Regular Audits: Use
last example_userto review login history. - Group Hygiene: Remove obsolete groups with groupdel.
- Backup Strategies: Archive home directories before deletion.
Conclusion Copy link
Mastering Ubuntu user administration involves strategic use of adduser, usermod, and deluser alongside proactive security measures. By implementing these techniques, you’ll optimize resource allocation, enforce access controls, and maintain a robust system architecture.