How to Manage Users and Groups with useradd, groupadd and passwd on RHEL 7

How to Manage Users and Groups with useradd, groupadd and passwd on RHEL 7

User and group management is one of the most fundamental administrative tasks on any Linux system. On Red Hat Enterprise Linux 7, the tools for creating, modifying and maintaining user accounts are robust, flexible and follow the standard POSIX conventions. Whether you are onboarding new team members, setting up service accounts for applications, or enforcing password policies across your organisation, understanding the full range of useradd, groupadd, usermod and related utilities will save you time and help you avoid common security pitfalls. This tutorial walks through the complete workflow for user and group management on RHEL 7, including password ageing and account expiry.

Prerequisites

• A running RHEL 7 system with root or sudo access.
• Basic familiarity with the Linux command line.
• The shadow-utils package installed (present by default on RHEL 7).

Step 1: Creating a New User with useradd

The useradd command creates a new user account and, optionally, a home directory, default shell, and primary group. When called without options it uses defaults from /etc/default/useradd and /etc/login.defs.

# Create a basic user account
useradd john

# Verify the account was created
id john
# Output: uid=1001(john) gid=1001(john) groups=1001(john)

The most important options for useradd are:

• -m — Create the user’s home directory if it does not exist. On RHEL 7 this is implied unless CREATE_HOME is set to no in /etc/login.defs, but specifying it explicitly is good practice.
• -s — Specify the login shell. Common values are /bin/bash, /bin/sh, or /sbin/nologin for service accounts.
• -d — Override the default home directory path.
• -G — Assign the user to one or more supplementary groups at creation time.
• -c — Set the GECOS (comment) field, typically the user’s full name.
• -u — Specify a custom UID.

# Create a user with home directory, shell, comment and supplementary group
useradd -m -s /bin/bash -d /home/jdoe -c "Jane Doe" -G wheel jdoe

# Create a system/service account with no login shell and no home directory
useradd -r -s /sbin/nologin -c "Apache Service Account" apacheuser

Step 2: Setting and Managing Passwords with passwd

After creating an account, you must set a password before the user can log in. The passwd command handles this for both root and regular users (who can only change their own password).

# Set a password for a new user (run as root)
passwd john
# You will be prompted to enter and confirm the new password

# Lock a user account (prepends ! to the hashed password)
passwd -l john

# Unlock a user account
passwd -u john

# Display password status information
passwd -S john
# Output: john PS 2026-05-17 0 99999 7 -1 (Password set, SHA512 crypt.)

Step 3: Creating and Managing Groups with groupadd

Groups allow you to assign shared permissions to multiple users. The groupadd command creates new groups, and entries are stored in /etc/group.

# Create a new group
groupadd developers

# Create a group with a specific GID
groupadd -g 2500 ops

# View group membership
cat /etc/group | grep developers
# developers:x:1002:

# View all groups a user belongs to
id jdoe
# uid=1001(jdoe) gid=1001(jdoe) groups=1001(jdoe),10(wheel)

The /etc/group file has four colon-separated fields: group name, password placeholder, GID, and a comma-separated list of member usernames.

# View /etc/group format
cat /etc/group | head -5
# root:x:0:
# bin:x:1:
# daemon:x:2:
# sys:x:3:
# adm:x:4:

Step 4: Modifying Users with usermod

The usermod command modifies an existing user account. The most common operation is adding a user to supplementary groups.

# Add a user to a supplementary group without removing existing group memberships
# IMPORTANT: Always use -aG together. Using -G alone will REPLACE all supplementary groups.
usermod -aG developers john
usermod -aG wheel,developers jdoe

# Change a user's default shell
usermod -s /bin/bash john

# Change the home directory and move existing content
usermod -d /data/home/john -m john

# Change the username (login name)
usermod -l johndoe john

# Lock and unlock via usermod
usermod -L john    # Lock
usermod -U john    # Unlock

Step 5: Managing Group Membership with gpasswd

The gpasswd command provides additional group administration capabilities, including setting group passwords and appointing group administrators.

# Add a user to a group using gpasswd
gpasswd -a john developers

# Remove a user from a group
gpasswd -d john developers

# Set a group administrator (a non-root user who can add/remove members)
gpasswd -A jdoe developers

# Set a group password (rarely used; allows non-members to join temporarily)
gpasswd developers

Step 6: Enforcing Password Ageing with chage

Password ageing policies are a key component of any security-conscious Linux environment. The chage command reads and writes the shadow password file entries that control when passwords expire and when accounts become inactive.

# Display current password ageing information for a user
chage -l john
# Last password change                                    : May 17, 2026
# Password expires                                        : never
# Password inactive                                       : never
# Account expires                                         : never
# Minimum number of days between password change          : 0
# Maximum number of days between password change          : 99999
# Number of days of warning before password expires       : 7

# Force a user to change their password on next login
chage -d 0 john

# Set password to expire after 90 days
chage -M 90 john

# Set a minimum of 7 days between password changes (prevents rapid cycling)
chage -m 7 john

# Warn the user 14 days before expiry
chage -W 14 john

# Set account expiry date (YYYY-MM-DD format)
chage -E 2026-12-31 john

# Disable an account after password has been expired for 30 days
chage -I 30 john

These settings are stored in /etc/shadow, which is readable only by root. Each field corresponds directly to the chage options above.

Step 7: Deleting Users and Groups

When an employee leaves or a service is decommissioned, accounts should be cleanly removed.

# Delete a user account (does NOT remove home directory by default)
userdel john

# Delete a user account and their home directory
userdel -r john

# Delete a group (only possible if no users have it as their primary group)
groupdel developers

# If you need to keep files but disable the account, lock it instead
usermod -L -e 1 john    # Lock account and set expiry to the past

Step 8: Verifying User and Group Configuration

Several tools help you audit and verify the state of user and group databases.

# Check the integrity of the password and shadow files
pwck

# Check the integrity of the group file
grpck

# List all users on the system
getent passwd

# List all groups on the system
getent group

# Find files owned by a specific user (useful before deletion)
find / -user john -ls 2>/dev/null

# Find files with no valid owner (orphaned files after user deletion)
find / -nouser -ls 2>/dev/null

Conclusion

Managing users and groups on RHEL 7 involves a coherent set of tools that work together around the /etc/passwd, /etc/shadow and /etc/group files. The key points to remember are: always use usermod -aG (not just -G) when adding to supplementary groups, set appropriate password ageing with chage rather than leaving defaults, use /sbin/nologin for service accounts that should never have interactive shell access, and clean up with userdel -r when removing accounts to avoid orphaned home directories. With these tools and practices, you can maintain a secure, well-organised user database on any RHEL 7 system.