Modifying Users

Modifying Users in Ubuntu

usermod is the primary tool for modifying existing user accounts. It edits /etc/passwd, /etc/shadow, and /etc/group atomically, which is safer than editing these files by hand. Understanding the flags and their effects prevents common mistakes like locking yourself out or breaking a service account.

The usermod command

Changing group memberships

# Add a user to a group WITHOUT removing existing memberships
# -a (append) is critical — omitting it REPLACES all groups
sudo usermod -aG sudo irfan
sudo usermod -aG docker,libvirt irfan

# Verify group membership immediately
groups irfan
id irfan

⚠️ WARNING: usermod -G group1,group2 username without -a REPLACES all supplementary groups with only group1,group2. If the user was in sudo or docker before, they will no longer be. Always use -aG to append groups.

# Remove a user from a specific group
sudo gpasswd -d irfan docker

# Group changes take effect at next login
# Force immediate effect by running (for the current session only):
newgrp docker

Changing the login shell

# See available shells
cat /etc/shells

# Change a user's shell
sudo usermod -s /bin/bash irfan
sudo usermod -s /bin/zsh irfan

# Disable login for a service account (change from bash to nologin)
sudo usermod -s /usr/sbin/nologin serviceuser

# Users can change their own shell with chsh
chsh -s /bin/zsh

Renaming a user

# Rename a user account (login name only, UID stays the same)
# The user must NOT be logged in when renamed
sudo usermod -l newname oldname

# Also rename the home directory and primary group to match
sudo usermod -l newname -d /home/newname -m oldname
sudo groupmod -n newname oldname

# Verify
id newname
ls -la /home/

Changing account expiry and aging

# Set an account to expire on a specific date
# (The account becomes disabled after this date)
sudo usermod -e 2025-12-31 contractor

# Remove the expiry date (account never expires)
sudo usermod -e "" contractor

# Set password aging policies with chage
sudo chage -l irfan              # Show current aging settings
sudo chage -M 90 irfan           # Max password age: 90 days
sudo chage -m 7 irfan            # Min days between changes: 7
sudo chage -W 14 irfan           # Warn 14 days before expiry
sudo chage -I 30 irfan           # Disable 30 days after expiry

chage -l output

Last password change                : Jun 01, 2024
Password expires                    : Sep 01, 2024
Password inactive                   : Oct 01, 2024
Account expires                     : Dec 31, 2025
Minimum number of days between pass : 7
Maximum number of days between pass : 90
Number of days of warning before exp: 14

Changing the home directory

# Move a user's home directory to a new location
# Step 1: Move the home directory with usermod (copies files too)
sudo usermod -d /opt/irfan -m irfan

# Step 2: Verify the move
ls -la /opt/irfan/
getent passwd irfan | cut -d: -f6    # Should show /opt/irfan

# Step 3: Check file ownership is correct
ls -lan /opt/irfan/ | head -5

Conclusion

Use usermod for all account modifications — never edit /etc/passwd directly. The most important thing to remember: -aG appends groups while -G replaces them. Group changes require the user to log out and back in to take effect in their session. Use chage for password aging policies on accounts that require compliance with password rotation policies.