Show Menu

Linux (RHEL) User Management Cheat Sheet by

User management on Red Hat Linux Server


This inform­ation specif­ically relates to place of employ­ment, but may be useful elsewhere.

User and Group Management

List users configured on local host
awk -F: '/\/home/ {printf "­%s:­%s­\n",$­3,$1}' /etc/p­asswd | sort -n
List groups configured on local host
awk -F: -v id="­999­" '$3 > id' /etc/g­roup
For Users, the assumption is that they are non-system users if they have a /home directory
For Groups, the assumption is that they are non-system groups if gid is greater the 999
Refer to /etc/­log­in.d­efs

Create User

Create user
useradd -c "­Fir­stname Lastna­me" -d /home/­fi­rst­nam­e.l­ast­nam­e.s­uffix -u <ui­d> -g <gi­d> -m -s /bin/bash first­nam­e.l­ast­nam­e.s­uffix
Create user (shorter)
useradd -c "­Fir­stname Lastna­me" -u <ui­d> -g <gi­d> first­nam­e.l­ast­nam­e.s­uffix
Set password
passwd first­nam­e.l­ast­nam­e.s­uffix
Set account aging policy
chage -M 90 -W 7 -I 30 -d 0 first­nam­e.l­ast­nam­e.s­uffix
where -M maximum number of days between password changes, -W number of days warning before password expires, -I inactive days after password expires that account is locked, -d days since password changed (setting to 0 zero forces password change on next logon)
Expire password
(force password change)
chage -d 0 first­nam­e.l­ast­nam­e.s­uffix
Expire password and set account expiry­(fo­r co­ntr­actors)
chage -d 0 -E YYYY­-MM­-DD first­nam­e.l­ast­nam­e.s­uffix
List account aging inform­ation
chage -l first­nam­e.l­ast­nam­e.s­uffix
User accounts are in: firs­tna­me.l­as­tna­me.a­cc­oun­ttype format. These 3 variables are used by the user management scripts. Admin User Account are suffixed with .nalx.
Service Accounts are prefixed with svc.
uid and gid are maintained in a central location to ensure uniformity across server fleet.

Account Management

Disable account
(most effective method)
chage -E0 first­nam­e.l­ast­nam­e.s­uffix
Re-enable account
chage -E1 first­nam­e.l­ast­nam­e.s­uffix
Lock account
usermod -L usern­ame
Check lock status
grep username /etc/shadow
single exclam­ation mark before encrypted password means account locked
Lock password
passwd -l usern­ame
Unlock password
passwd -u usern­ame
Check password status
grep username /etc/shadow
two exclam­ation marks before encrypted password means password locked
Check whether password ever set
grep username /etc/shadow
two exclam­ation marks with no encrypted password means password has never been set
Extend account expiry
(for contra­ctors)
chage -E YYYY­-MM­-DD first­nam­e.l­ast­nam­e.s­uffix
The recomm­ended method of securing an account is disabling by using the chage command. Locking of accounts by using usermod or passwords by using passwd commands are not as effective. For example, an account which uses SSH does not use passwords.

List Logged On Users

Show who is logged on
Show who is logged on and what they are doing
Show list of last logged in users who are "­still logged in"
last -F | grep 'still logged in'
Print name of users currently logged in to local host

Non-st­andard aliases

awk -F: '{ if ($3 > 999 && $3 < 60001) print $1 }' /etc/p­asswd | grep -v suffix | sort
awk -F: '{ if ($3 > 999 && $3 < 60001) print $1 }' /etc/p­asswd | grep suffix | sort
These are functions stored in /etc/­pro­fil­e.d­/al­ias­ Again, refer to /etc/­log­in.d­efs for UID_­MIN and UID_­MAX and GID_­MIN and GID_­MAX values

Get User Inform­ation Function

# get-us­era­ccounts [Account Type: ALL|no­rma­l|a­dmi­ns|­ser­vice] [Output Format­:na­me|­des­cri­pti­on|­alm­ost­all­|cs­v|t­able] [Addit­ional Info: GROUP|­nog­rou­p|c­omp­lete]
Where group inform­ation is collected from corres­ponding user entry in /etc/­group and where addition inform­ation is collated from chage command
Argument order is important (does not use getopt or getop­ts). Account Type - ALL (is the default option). Output Format: no specific option required. Additional Info - GROUP info (is the default option).
# get-us­era­cco­unts
# get-us­era­ccounts service csv group
# get-us­era­ccounts admins tablefull complete
Based on function listusers / get-us­era­ccounts (expanded version of the above custom functions lusers and ladmi­ns). The get-u­ser­acc­ounts alias is in PowerShell (verb-­noun) format so somewhat familiar for Windows Admini­str­ators.
Could be saved as part of a function file or incorp­orated into the system alias file (/etc­/pr­ofi­le.d­/a­lia­


No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          *nix users and groups Cheat Sheet
            YUM Command Cheat Sheet by Red Hat

          More Cheat Sheets by PeterCeeAU

          NATO Phonetic Alphabet Cheat Sheet
          Vim Editor [Yet Another] Cheat Sheet