The user lifecycle.
create, modify, lock, and service accounts.
Two contractors starting Monday, one contractor to lock without deleting, and a service account for a new analytics agent. Real useradd, usermod, and the files behind them.
The ticket: dbadmin1 has three asks. Onboard two contractors, one in developers and contractors, one in contractors only. Get ready to lock a departing contractor without deleting any of their work. And create a service account for a new analytics agent that has no home directory, no login shell, and stays out of the regular user reports.
The real problem: user management is only basic until you are the one responsible for who has access. Locking versus deleting, and human versus service accounts, are the parts people get wrong.
What we are doing: creating, modifying, and locking users, and building a proper service account, with an eye on /etc/passwd, /etc/shadow, and /etc/group.
The ticket
id contractor1 # already exists, UID 7004 getent group developers # GID 7000 getent group contractors # GID 7002
Concept review. The files and the flags.
man useradd man usermod man userdel
/etc/passwd user:x:UID:GID:comment:home:shell account info, no password /etc/shadow user:hash:lastchange:min:max:warn:... the password hash and aging /etc/group group:x:GID:members group membership
-u set the UID -d home directory path -g primary group -m create the home directory -G supplementary groups -c comment / full name -s login shell -M do NOT create a home (service accounts) -e expiry date YYYY-MM-DD -r system account (UID below 1000)
Create contractor2, in two groups
One command sets the UID, home, shell, both supplementary groups, and a comment.
sudo useradd -u 7005 -m -d /home/contractor2 -s /bin/bash \
-G developers,contractors -c "Contractor #2" contractor2
sudo passwd contractor2
id contractor2
getent group developers
getent group contractorsCreate contractor3, in one group
sudo useradd -u 7006 -m -d /home/contractor3 -s /bin/bash \
-G contractors -c "Contractor #3" contractor3
sudo passwd contractor3
id contractor3Lock contractor1 without deleting
When someone leaves, lock first. There may be files, running processes, or audit requirements tied to the account. Locking adds a ! to the hash so the password can no longer authenticate, and their files stay put.
sudo grep contractor1 /etc/shadow # before sudo usermod -L contractor1 sudo grep contractor1 /etc/shadow # note the leading ! on the hash ls -ld /home/contractor1 # files still there # to unlock later: sudo usermod -U contractor1
The service account
A service account runs software, not a person. No home, no interactive shell, an explicit UID.
sudo useradd -u 9100 -M -s /sbin/nologin -c "Analytics Service Agent" svc_analytics id svc_analytics grep svc_analytics /etc/passwd ls /home/svc_analytics 2>&1 # should error, no home was created sudo su - svc_analytics # 'This account is currently not available.'
-M skips the home directory, -s /sbin/nologin refuses interactive login while still letting the service run as the user.
The -aG versus -G trap
The single most common usermod mistake, shown on purpose so you never make it for real.
sudo usermod -G ops contractor2 # WITHOUT -a id contractor2 # now ONLY in ops, lost developers and contractors # fix it by re-adding the groups, correctly this time sudo usermod -aG developers,contractors contractor2 id contractor2 # remove from a single group cleanly sudo gpasswd -d contractor2 ops id contractor2
Exam questions
Write the command first.
Q1. Create user sarah with UID 1600, home /home/sarah, bash shell, primary group users, supplementary group wheel, and set a password.
Q2. Lock dev2 immediately without deleting them, and verify the lock in /etc/shadow.
Q3. Create a service account appd with UID 950, no home, no login shell, and verify it cannot log in interactively.
Answers.
# A1 sudo useradd -u 1600 -m -d /home/sarah -s /bin/bash -g users -G wheel sarah sudo passwd sarah # A2 sudo usermod -L dev2 sudo grep dev2 /etc/shadow # hash starts with ! # A3 sudo useradd -u 950 -M -s /sbin/nologin -c "App daemon" appd sudo su - appd # This account is currently not available
Final checklist: confirm everything works
If every check passes, the ticket is done.
# 1. contractor2 in developers and contractors, contractor3 in contractors only id contractor2; id contractor3 # 2. contractor1 locked (! in shadow), home intact sudo grep contractor1 /etc/shadow; ls -ld /home/contractor1 # 3. svc_analytics has no home and nologin grep svc_analytics /etc/passwd # 4. all three exam commands written from scratch # 5. tracker entry checked off
Reply to dbadmin1: contractor2 and contractor3 are onboarded, contractor1 is ready to lock with usermod -L whenever you say, and svc_analytics is set up with no home and no interactive login.