Managing and monitoring user accounts on Linux

By /

There are a number of commands on Linux that you can use to manage user accounts and monitor user activity. This post provides details on the commands that you need to know if you are managing a Linux server and the user accounts on that system.

Creating user accounts

The useradd and adduser commands allow you to create a new user account. To check which you should use, you can run a command like this:

$ which useradd adduser
/usr/sbin/useradd
/usr/sbin/adduser

If your system, like mine, shows both commands, a command like that shown below might show you that one (in this case, adduser) is simply a pointer to the other.

$ ls -l /usr/sbin/useradd /usr/sbin/adduser
lrwxrwxrwx. 1 root root      7 Mar  5  2023 /usr/sbin/adduser -> useradd
-rwxr-xr-x. 1 root root 146368 Mar  5  2023 /usr/sbin/useradd

To add a user on a Linux system, you need to have superuser access, so run the command with sudo as in this example to set up a new user account and then verify that it’s been created:

$ sudo useradd monica
$ grep monica /etc/passwd
monica:x:1007:1007::/home/monica:/bin/bash
$ ls -ld /home/monica
drwx------. 1 monica monica 110 Mar 19 12:19 /home/monica

Run the useradd (or adduser) command with the -m option if the home directory is not created.

$ sudo useradd -m username

Setting up a user password

To set up the initial password for a user account

$ sudo passwd monica

Once you set up the initial password, run a command like the one below to force the user to change his or her password on their first login. After all, no one but the user should know the password for their account. Not even you.

$ sudo passwd --expire monica
Expiring password for user monica.
passwd: Success

Modifying an existing user account

Each new user will be assigned a group of their own. You can verify this by running a command like that shown below showing the “monica” group.

$ grep monica /etc/group
monica:x:1007:

You can add a user to an existing user group with a usermod command like this where “techs” is the name of the group. The second command below verifies that the user is now the second member of the select group.

$ sudo usermod -aG techs monica
$ grep techs /etc/group
techs:x:1008:shs,monica

If Monica changes her name to Valerie, you can update her account with a command like this:

$ sudo usermod -l valerie monica

This will change the user’s login name, but not the name of the home directory.

# grep monica /etc/passwd
valerie:x:1007:1007::/home/monica:/bin/bash

Removing a user account

To delete a user account from the system, you will generally want to use a command like this that will remove the home directory and its contents as well as the login details from the /etc/passwd file.

$ userdel -r valerie

If you want to retain the home directory to pass it on to someone who might take over that user’s responsibilities, just omit the -r option.

$ userdel valerie

Monitoring user activity

To check who is logged into a system, you can use the who or the w command (which provides some additional details.

$ who
fedora   seat0        2025-03-19 11:59 (login screen)
fedora   tty2         2025-03-19 11:59 (tty2)
shs      pts/1        2025-03-19 12:02 (192.168.0.2)
$ w
 13:09:55 up  1:11,  3 users,  load average: 0.07, 0.02, 0.02
USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
fedora   tty2      11:59    1:11m  0.07s  0.06s gnome-session-binary
shs      pts/1     12:02    0.00s  0.24s  0.02s w

Use the -a option to see some additional details on user logins.

$ who -a
           system boot  2025-03-19 11:58
           run-level 5  2025-03-19 11:59
fedora   ? seat0        2025-03-19 11:59   ?          3430 (login screen)
fedora   + tty2         2025-03-19 11:59 01:20        3430 (tty2)
shs      + pts/1        2025-03-19 12:02   .          5675 (192.168.0.2)
           pts/2        2025-03-19 13:07              8945 id=ts/2  term=0 exit=0

Use a command like that shown below to view user activity (processes being run) when they are logged in:

$ ps -ef | grep george

Viewing user logins

To view long-range login information for a user, you can use the last command. Keep in mind that details from logins over a long stretch of time will be displayed. Add the head command to view only the most recent logins. Details are provided in a most-recent-first order.

$ last jdoe | head -4
jdoe    pts/1        192.168.0.2      Wed Mar 19 12:02   still logged in
jdoe    pts/0        192.168.0.11     Thu Mar 13 11:59 - 13:25  (01:25)
jdoe    pts/1        192.168.0.2      Wed Mar 12 17:04 - 18:08  (01:04)
jdoe    pts/1        192.168.0.2      Wed Mar 12 14:20 - 15:53  (01:32)

Viewing user account details

To view details for a particular user, try the id command which provides a very useful display that shows the user ID (uid) and group IS (gid) along with a list of the groups that the user is a member of.

$ id george
uid=1003(george) gid=1003(george) groups=1003(george)

To view all users on the system, you can examine the contents of the /etc/passwd file, but that would include all the system accounts as well as the user account. The “ls /home” command should give you a list of all home directories.

$ ls /home
cookie  dumdum  fedora  george  lola  newuser  shs

You can also get details on user account using a command like this that selects entries that contain the word “home”.

$ grep home /etc/passwd
fedora:x:1000:1000:fedora:/home/fedora:/bin/bash
shs:x:1001:1001::/home/shs:/bin/bash
newuser:x:1002:1002::/home/newuser:/bin/bash
george:x:1003:1003::/home/george:/bin/bash
lola:x:1006:1006::/home/lola:/bin/bash

To check which groups a user belongs to, use the groups command.

$ groups shs
shs : shs wheel techs

If you want to check out the /etc/shadow file that contains passwords in an encrypted form along with other data, you can run a command like this:

$ sudo grep george /etc/shadow
[sudo] password for shs:
george:$y$j9T$igg/m6Ixl7kvW/i7mPP891$oq/zlqU8DGOPwnGbnvoVaaDmDbspK/R92XnrEKcPKk0:20033:0:99999:7:::

The fields in this colon-separated file include:

  • the username
  • the encrypted password (that very long field)
  • the number of days since the password was last changed *
  • the minimum number of days before the password can be changed again
  • the maximum number of days before the password must be changed
  • the number of days before password expiration that the user is warned that their password will expire
  • the number of days after password expiration before the account is locked (inactive period)
  • the date the password expires *
  • a reserved field

    • Note that the third and eighth fields are expressed as the number of days since the Unix “epoch” (Epoch time is based on the number of seconds since 00:00:00 on January 1, 1970). This allows these fields to have a longer duration. The last three fields, however, are often empty.

    To view sudo privileges for a user, you can use a command like this which shows that George has no sudo privileges.

    $ sudo -l -U george
    User george is not allowed to run sudo on fedora.

    Wrap-up

    There are a lot of commands that allow you to manage user accounts and monitor user activity. Quite a few of these require sudo access.

    Source:: Network World