usermod Command

Modify user account properties and settings

Syntax: usermod [OPTIONS] username
Note: The usermod command requires root privileges to execute. Always use sudo or run as root when modifying user accounts.

Description

The usermod command modifies user account properties on a Linux system. It allows administrators to change various aspects of existing user accounts, including login name, home directory, shell, group memberships, account expiration, and other user attributes without deleting and recreating the account.

Note: Changes made with usermod take effect immediately, but users who are currently logged in may need to log out and back in to see some changes, particularly group membership changes.

Common Options

Option Description
-c, --comment COMMENT Change the user's full name or comment field
-d, --home HOME_DIR Change the user's home directory
-e, --expiredate EXPIRE_DATE Change account expiration date (YYYY-MM-DD)
-f, --inactive INACTIVE Change password inactive days after expiration
-g, --gid GROUP Change the primary group (name or GID)
-G, --groups GROUPS Set supplementary groups (comma-separated)
-a, --append Append to supplementary groups (use with -G)
-l, --login NEW_LOGIN Change the login name
-L, --lock Lock the user account
-m, --move-home Move home directory contents (use with -d)
-p, --password PASSWORD Set encrypted password
-s, --shell SHELL Change the user's login shell
-u, --uid UID Change the user ID (UID)
-U, --unlock Unlock the user account

Examples

Change user's full name: 
sudo usermod -c "John Smith" john
# Changes the comment field to "John Smith"

# Verify the change
getent passwd john
# Output: john:x:1001:1001:John Smith:/home/john:/bin/bash
Change user's login shell: 
sudo usermod -s /bin/zsh alice
# Changes alice's shell to zsh

# Verify the change
getent passwd alice | cut -d: -f7
# Output: /bin/zsh
Add user to supplementary groups: 
# Add user to additional groups (replaces current groups)
sudo usermod -G sudo,docker,www-data bob

# Append to existing groups (safer)
sudo usermod -a -G sudo bob

# Verify group membership
groups bob
# Output: bob : bob sudo docker www-data
Change user's home directory: 
# Change home directory path only
sudo usermod -d /opt/charlie charlie

# Change and move existing contents
sudo usermod -d /opt/charlie -m charlie

# Verify the change
getent passwd charlie | cut -d: -f6
# Output: /opt/charlie
Lock and unlock user accounts: 
# Lock user account
sudo usermod -L dave
# or
sudo usermod --lock dave

# Check account status
sudo passwd -S dave
# Output: dave L ... (L = locked)

# Unlock user account
sudo usermod -U dave
# or
sudo usermod --unlock dave
Change user ID (UID): 
# Change UID
sudo usermod -u 1500 eve

# Verify the change
id eve
# Output: uid=1500(eve) gid=1003(eve) groups=1003(eve)

# Update file ownership (recommended)
sudo find /home/eve -user 1003 -exec chown 1500 {} \;
Set account expiration date: 
# Set expiration date
sudo usermod -e 2024-12-31 tempuser

# Remove expiration (set to never expire)
sudo usermod -e "" tempuser

# Check expiration date
chage -l tempuser | grep "Account expires"
# Output: Account expires : Dec 31, 2024
Change login name: 
# Change username (user must not be logged in)
sudo usermod -l newname oldname

# Also change home directory name
sudo usermod -l newname -d /home/newname -m oldname

# Verify the change
id newname
# Shows the new username with same UID

Group Management

Understanding -G vs -a -G: 
# Current groups
groups john
# Output: john : john users developers

# Replace all supplementary groups (dangerous)
sudo usermod -G sudo john
groups john
# Output: john : john sudo (lost users and developers)

# Append to existing groups (safe)
sudo usermod -a -G sudo john
groups john
# Output: john : john users developers sudo
Remove user from specific group: 
# Get current groups
groups alice
# Output: alice : alice users sudo docker

# Remove from docker group (set all groups except docker)
sudo usermod -G users,sudo alice

# Verify removal
groups alice
# Output: alice : alice users sudo

Advanced Usage

Batch user modifications: 
#!/bin/bash
# Script to modify multiple users

USERS=("user1" "user2" "user3")
NEW_SHELL="/bin/zsh"

for user in "${USERS[@]}"; do
    if id "$user" &>/dev/null; then
        echo "Changing shell for $user to $NEW_SHELL"
        sudo usermod -s "$NEW_SHELL" "$user"
    else
        echo "User $user does not exist"
    fi
done
Disable account temporarily: 
# Method 1: Lock the account
sudo usermod -L username

# Method 2: Set expiry date in the past
sudo usermod -e 1970-01-01 username

# Method 3: Change shell to prevent login
sudo usermod -s /bin/false username

# Method 4: Combination approach
sudo usermod -L -e 1970-01-01 -s /bin/false username
Migrate user to different system: 
# Prepare user for migration
# 1. Change UID to avoid conflicts
sudo usermod -u 2001 miguser

# 2. Update file ownership
sudo find /home/miguser -user 1001 -exec chown 2001 {} \;
sudo find /var -user 1001 -exec chown 2001 {} \;

# 3. Set temporary password
sudo usermod -p '!' miguser  # Locked password

# 4. Export user info
getent passwd miguser > miguser.passwd
getent shadow miguser > miguser.shadow
getent group | grep miguser > miguser.groups

System Integration

Configure service account: 
# Convert regular user to service account
sudo usermod -s /bin/false -d /var/lib/myservice -c "MyService User" serviceuser

# Lock the account (no password login)
sudo usermod -L serviceuser

# Verify configuration
getent passwd serviceuser
# Output: serviceuser:x:1001:1001:MyService User:/var/lib/myservice:/bin/false
Update user for security compliance: 
# Security hardening script
USERNAME="$1"

# Set account expiration (90 days from now)
EXPIRE_DATE=$(date -d "+90 days" +%Y-%m-%d)
sudo usermod -e "$EXPIRE_DATE" "$USERNAME"

# Set password expiration
sudo chage -M 90 -W 7 "$USERNAME"

# Add to security group
sudo usermod -a -G security "$USERNAME"

echo "Security settings updated for $USERNAME"

Verification and Monitoring

Verify user modifications: 
#!/bin/bash
USERNAME="$1"

echo "User Information for: $USERNAME"
echo "================================"

# Basic user info
echo "User Details:"
getent passwd "$USERNAME"

# Group memberships
echo -e "\nGroup Memberships:"
groups "$USERNAME"

# Account status
echo -e "\nAccount Status:"
sudo passwd -S "$USERNAME"

# Account aging info
echo -e "\nAccount Aging:"
sudo chage -l "$USERNAME"

# Home directory
echo -e "\nHome Directory:"
ls -ld $(getent passwd "$USERNAME" | cut -d: -f6) 2>/dev/null || echo "Home directory not found"

Common Use Cases

  • Shell changes: Updating user's default shell
  • Group management: Adding/removing users from groups
  • Account security: Locking/unlocking accounts
  • Home directory changes: Moving user home directories
  • Account expiration: Setting temporary account access
  • UID/GID changes: Resolving ID conflicts
  • User information updates: Changing names and comments
  • Service account configuration: Setting up system users

Best Practices

  • Always use -a with -G to append groups instead of replacing
  • Verify changes after modification with id and getent
  • Update file ownership when changing UIDs
  • Test shell changes before applying to critical accounts
  • Document user modifications for audit purposes
  • Use scripts for batch modifications to ensure consistency
  • Check for running processes before major changes
  • Backup user data before significant modifications
  • Notify users of changes that affect their access
  • Use appropriate locking mechanisms for security

Troubleshooting

User currently logged in: 
# Check if user is logged in
who | grep username

# Check for running processes
ps -u username

# If user is logged in, some changes may require logout
# Or kill user sessions (use with caution)
sudo pkill -u username
UID already in use: 
# Check what UID is in use
getent passwd | grep ":1500:"

# Find available UID
sudo useradd --dry-run testuser 2>&1 | grep UID
# or manually check
awk -F: '$3 >= 1000 && $3 < 2000 {print $3}' /etc/passwd | sort -n
Group doesn't exist: 
# Check if group exists
getent group groupname

# Create group if needed
sudo groupadd groupname

# Then add user to group
sudo usermod -a -G groupname username

Security Considerations

  • Verify user identity before making modifications
  • Be cautious when changing UIDs - update file ownership
  • Use group append (-a -G) to avoid accidentally removing groups
  • Monitor account modifications in system logs
  • Set appropriate account expiration for temporary access
  • Lock accounts instead of deleting when possible
  • Validate shell paths before changing user shells
  • Document all user modifications for compliance
Related Commands: useradd, userdel, passwd, chage, groups