Managing users and groups is one of the most fundamental tasks for any Linux system administrator. On Red Hat Enterprise Linux 8, the useradd, groupadd, and passwd commands provide powerful options for creating and controlling accounts. Understanding how to set password policies, manage group memberships, and configure account aging will help you maintain a secure, well-organised system. This guide walks through the essential commands and configuration files you need to know.

Prerequisites

  • A running RHEL 8 system with root or sudo access
  • Familiarity with the Linux command line
  • Basic understanding of file permissions

Step 1 — Create a New User with useradd

The useradd command creates a new user account. The -m flag creates the home directory, -u sets a specific UID, -G adds the user to supplementary groups, and -s specifies the login shell.

# Create user 'jsmith' with home dir, UID 1500, added to 'wheel' and 'developers' groups
sudo useradd -m -u 1500 -G wheel,developers -s /bin/bash jsmith

# Verify the user was created
id jsmith

# Check the entry in /etc/passwd
grep jsmith /etc/passwd

The /etc/login.defs file controls system-wide defaults such as the minimum UID for regular users (UID_MIN, typically 1000) and the maximum number of days a password remains valid (PASS_MAX_DAYS). Review it before bulk user creation to ensure your site policy is enforced from the outset.

# View key password and UID policy settings
grep -E 'UID_MIN|UID_MAX|PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE' /etc/login.defs

Step 2 — Set and Manage Passwords with passwd

After creating a user you must set a password. The passwd command also supports locking accounts, forcing expiry, and scripted password setting via --stdin.

# Set a password interactively
sudo passwd jsmith

# Set a password non-interactively (useful in scripts)
echo "S3cur3P@ss!" | sudo passwd --stdin jsmith

# Force the user to change their password on next login
sudo passwd --expire jsmith

# Lock an account (prepends '!' to the hashed password)
sudo passwd --lock jsmith

# Unlock an account
sudo passwd --unlock jsmith

Step 3 — Manage Groups with groupadd and gpasswd

Groups let you control access to resources for multiple users at once. Use groupadd -g to specify a GID, and gpasswd to add or remove members without editing /etc/group directly.

# Create a new group with a specific GID
sudo groupadd -g 2000 developers

# Add user 'jsmith' to the 'developers' group
sudo gpasswd -a jsmith developers

# Remove user 'jsmith' from 'developers'
sudo gpasswd -d jsmith developers

# List all members of a group
grep developers /etc/group

# Switch to a supplementary group in the current session
newgrp developers

Note that newgrp opens a new shell with the specified group as the primary group for that session. Any files created while in that shell inherit the new group ownership.

Step 4 — Configure Password Aging with chage

The chage command (change age) gives you fine-grained control over password expiry on a per-user basis, overriding the system-wide /etc/login.defs defaults.

# Display the current aging settings for a user
sudo chage -l jsmith

# Set maximum password age to 90 days
sudo chage -M 90 jsmith

# Set minimum days between password changes to 7
sudo chage -m 7 jsmith

# Warn user 14 days before password expires
sudo chage -W 14 jsmith

# Set an absolute account expiry date (YYYY-MM-DD)
sudo chage -E 2026-12-31 jsmith

# Force immediate password expiry (same as passwd --expire)
sudo chage -d 0 jsmith

Step 5 — Verify Users and Group Memberships

After making changes, confirm that UID assignments, group memberships, and password aging are all correct before handing credentials to end users.

# Show UID, GID, and all group memberships for a user
id jsmith

# List all groups the current or specified user belongs to
groups jsmith

# Show all users and their home directories
awk -F: '{ print $1, $3, $6 }' /etc/passwd | column -t

# List all groups on the system
getent group | sort -t: -k3 -n

# Find all users belonging to a specific GID (2000)
getent passwd | awk -F: '$4 == 2000 { print $1 }'

Conclusion

You now know how to create users with custom UIDs, shells, and group memberships using useradd, enforce password policies with passwd and chage, and manage group membership non-interactively with gpasswd. Combining these tools with the system-wide defaults in /etc/login.defs gives you consistent, policy-driven account management across your RHEL 8 fleet. Always verify changes with id and chage -l before rolling out accounts to production.

Next steps: How to Configure sudo and /etc/sudoers on RHEL 8, How to Harden SSH Access on RHEL 8, and How to Configure PAM Authentication on RHEL 8.