Managing user accounts is one of the most fundamental Linux system administration tasks. On RHEL 8, the standard tools — useradd, usermod, userdel, and groupadd — are all available out of the box and work the same way across RHEL-compatible distributions. This guide covers creating users with meaningful options, setting and changing passwords, modifying existing accounts, safely deleting users, and granting administrative privileges via the wheel group. Understanding where user data is stored in /etc/passwd and /etc/shadow will also help you troubleshoot account issues.
Prerequisites
- A RHEL 8 server with a configured non-root sudo user (see the Initial Server Setup guide)
- Root or
sudoaccess to the server - Basic familiarity with the Linux command line
Step 1 — Create a New User
The useradd command creates a new user account. The -m flag creates a home directory, -s specifies the login shell, and -G adds the user to supplementary groups at creation time.
# Create a user with a home directory and bash shell
useradd -m -s /bin/bash username
# Create a user and add them to an existing supplementary group
useradd -m -s /bin/bash -G developers usernameSet the initial password immediately after creating the account:
passwd usernameStep 2 — Understand /etc/passwd and /etc/shadow
User account information is split across two files. /etc/passwd is world-readable and contains the username, UID, GID, home directory, and shell. Actual password hashes are stored in /etc/shadow, which is readable only by root, protecting the hashes from offline attacks.
# View the entry for a user in /etc/passwd
grep username /etc/passwd
# View the shadow entry (run as root)
grep username /etc/shadowThe shadow entry contains the hashed password followed by aging fields: last-change date, minimum days, maximum days, warning period, and expiry.
Step 3 — Modify an Existing User
Use usermod to change account attributes after creation. Common operations include changing the login shell, adding the user to additional groups, and renaming the account.
# Add an existing user to the wheel group (grants sudo access)
usermod -aG wheel username
# Change the user's default shell
usermod -s /bin/zsh username
# Rename a user account (also rename the home directory separately)
usermod -l newname oldname
# Verify group membership
id username
groups usernameStep 4 — Grant and Verify sudo Access
On RHEL 8, members of the wheel group can run commands as root via sudo. After adding the user to wheel, verify they can authenticate correctly before closing your current root session.
# Add user to wheel group
usermod -aG wheel username
# Switch to the user and test sudo
su - username
sudo whoamiThe output of sudo whoami should be root.
Step 5 — Lock and Unlock Accounts
Rather than deleting an account when access should be suspended temporarily, lock it with usermod -L. This prepends an exclamation mark to the password hash in /etc/shadow, preventing password-based login without destroying the account or its files.
# Lock a user account
usermod -L username
# Unlock a user account
usermod -U username
# Verify lock status (look for '!' at start of hash field)
grep username /etc/shadowStep 6 — Delete a User
When an account is no longer needed, remove it with userdel. The -r flag removes the home directory and mail spool as well. Always back up important user data before deletion because this action is irreversible.
# Remove the user and their home directory
userdel -r username
# Verify the user is gone
grep username /etc/passwdTo create and manage groups independently:
groupadd developers
usermod -aG developers username
groupdel developersConclusion
You now know how to create users with appropriate options, set passwords, interpret /etc/passwd and /etc/shadow, modify account attributes with usermod, grant sudo access via the wheel group, lock accounts without deleting them, and cleanly remove users with userdel -r. These skills form the core of day-to-day RHEL 8 user administration.
Next steps: How to Configure the Firewall on RHEL 8, How to Set Up SSH Key-Based Authentication on RHEL 8, and How to Configure Fail2Ban to Protect SSH on RHEL 8.
