How to Manage Users and Groups on Linux

Creating Groups

1. Change directory to /homecomm/nsek/create_id_grp.
2. Execute the following command to verify that the group name is in used.  If group is already created on other servers, re-use the same group number.

# grep <group name> *

3. Check the content of last_grp_num.

Eg.

# cat last_grp_num

1263

Use the next id in file to create new group, eg 1264 and update the new number in the file last_grp_num.

4. Edit the appropriate mkgroup scripts and add groupadd -g <id> <group> command.

mkgroup_batch.ksh

mkgroup_adm.ksh

mkgroup_read.ksh

mkgroup_instance.ksh

mkgroup_etl.ksh

mkgroup_usr.ksh

e.g. Create a group fadev in server faappdv24

Edit groupadd -g 1690 fadev in file mkgroup_user.ksh

######################

#faappdv24

######################

groupadd -g 1689 faadm

groupadd -g 1690 fadev

groupadd -g 1691 faqa

groupadd -g 1692 fatdm

groupadd -g 1710 faland  Linux syntax

           

######################

#bicsasdv27

######################

mkgroup -A id=1706 sas  AIX syntax

5. Copy and paste the groupadd command and execute on the target server.

Removing Groups

1. To remove a group, simply use the following command.

# groupdel <group name>

# groupdel fadev

Adding Users to Groups

1. To change user’s primary group, use the following.  This will replace the user’s primary group with a new one.

# usermod –g <group name> <user name>

# usermod –g operator bgates01

2. To change secondary group membership for a user, do the following.  This command will replace all secondary groups with the new groups specified.

# usermod –G <group name #1>,<group name #2> <user name>

# usermod –G faadm,fadev bgates01

3. To add additional group membership for a user, do the following.  This command will add additional secondary group to the existing group assignment.

# usermod –a –G <group name #1>,<group name #2> <user name>

# usermod –a –G faadm,fadev bgates01

Creating Users

1. Before create user account, please make sure the user id is same as Enterprise ID (The ID that you access HR benefit).  However, it is possible that the user already has a different user ID (based on SYSDEV ID) on other hosts; in this case retain the old user ID.
2. Change directory to /homecomm/nsek/create_id_grp.

3. If user is already exists on other servers, re-use the same user id number, else check the content of last_id_num.

# cat last_id_num

1456   

Use the next id in file to create new user, in this case it will be 1457.

Update the new number in file last_id_num.

4. Edit the appropriate createid-<server name>.ksh for record.

useradd -u 934 -g fadev -c 'Peter Filipowich' -s /bin/ksh -d /home/pfilipo pfilipo

useradd -u 1868 -g fadev -c 'Eric Tumbagahan' -s /bin/ksh -d /home/etumbag etumbag

useradd -u 2918 -g fadev -c 'Veronica Salinas' -s /bin/ksh -d /home/vsalina vsalina

5. Copy and paste the useradd command and execute on the target server.

6. Assign a temporary password to new user

# passwd <username>

# passwd bgates

7. Force new user to change password the first time they login.

# chage –d 0 <username>

# chage –d 0 bgates

Functional IDs

1. If the request user id is a functional ID, please make sure that you include an owner in the description field, for example.

useradd -u 911 -g db2sys -c 'Functional ID Used by MS owned by Mark Liu' –s /bin/ksh -d /home/mssvc mssvc

2. Once the user account is created, please issue the following command to disable remote login and set account to non-expiry.

# chage –M -1 <user id>

# usermod -s /bin/false <user id>

 

Removing Users

1. To remove a user account and leave the home directory intact, use the following command.

# userdel <username>

# userdel bgates01

2. To remove a user account and the home directory, user the following command.

# userdel –r <username>

# userdel –r bgates01

Disabling/Lock Users

1. To lock a user’s account, use the following command.

# usermod –L <username>

2. To unlock a user’s account, use the following command.

# usermod –U <username>

Check User Account Status

1. There are two ways to check to see if a user account is locked out.  However these two methods are independent of each other; which mean to check user account status, you will have to use both commands.

# passwd –S <username>

passwd –S bgates01

Bgates01 LK 2010-03-17 0 35 14 0 (Password locked.)

                        # faillog –u <username>

Login       Failures Maximum Latest                                       On

Bgates01          6        5                03/23/10 15:26:30 -0400  ocdt7021058

In the above case, either Password locked or Failure counter is greater than 5 will lock out the account.

Reseting User Password

1. To reset user password and force user to change password when logged in, do the following.  By default Linux will not force user to update their password, hence the chage command is required.

# passwd <username>

# chage –d 0 <username> ¥ this will force user to update password.

# faillog –r –u <username> ¥ be advised that this command will cause the system to hang, due to a bug in Red Hat, simply user Ctrl-c to terminate this command.

Reset User Fail Login Counter

1. To reset user fail login counter, issue the following command.

# faillog -r -u <username> ¥ be advised that this command will cause the system to hang, due to a bug in Red Hat, simply user Ctrl-c to terminate this command.

Set user ID to non logonable

1. To prevent user from logging into the shell run the following command.

# usermod -s /sbin/nologin <username>