sysadmin · May 27, 2026 · 14 min read

The user lifecycle.
create, modify, lock, and service accounts.

Two contractors starting Monday, one contractor to lock without deleting, and a service account for a new analytics agent. Real useradd, usermod, and the files behind them.

// what we’re getting into
  1. The ticket
  2. Concept review. The files and the flags.
  3. Create contractor2, in two groups
  4. Create contractor3, in one group
  5. Lock contractor1 without deleting
  6. The service account
  7. The -aG versus -G trap
  8. Exam questions
  9. Final checklist: confirm everything works

The ticket: dbadmin1 has three asks. Onboard two contractors, one in developers and contractors, one in contractors only. Get ready to lock a departing contractor without deleting any of their work. And create a service account for a new analytics agent that has no home directory, no login shell, and stays out of the regular user reports.

The real problem: user management is only basic until you are the one responsible for who has access. Locking versus deleting, and human versus service accounts, are the parts people get wrong.

What we are doing: creating, modifying, and locking users, and building a proper service account, with an eye on /etc/passwd, /etc/shadow, and /etc/group.

The ticket

bash
id contractor1           # already exists, UID 7004
getent group developers  # GID 7000
getent group contractors # GID 7002

Concept review. The files and the flags.

bash
man useradd
man usermod
man userdel
the files
/etc/passwd   user:x:UID:GID:comment:home:shell        account info, no password
/etc/shadow   user:hash:lastchange:min:max:warn:...    the password hash and aging
/etc/group    group:x:GID:members                      group membership
useradd flags
-u  set the UID              -d  home directory path
-g  primary group           -m  create the home directory
-G  supplementary groups    -c  comment / full name
-s  login shell             -M  do NOT create a home (service accounts)
-e  expiry date YYYY-MM-DD   -r  system account (UID below 1000)

Create contractor2, in two groups

One command sets the UID, home, shell, both supplementary groups, and a comment.

bash
sudo useradd -u 7005 -m -d /home/contractor2 -s /bin/bash \
    -G developers,contractors -c "Contractor #2" contractor2
sudo passwd contractor2

id contractor2
getent group developers
getent group contractors

Create contractor3, in one group

bash
sudo useradd -u 7006 -m -d /home/contractor3 -s /bin/bash \
    -G contractors -c "Contractor #3" contractor3
sudo passwd contractor3
id contractor3

Lock contractor1 without deleting

When someone leaves, lock first. There may be files, running processes, or audit requirements tied to the account. Locking adds a ! to the hash so the password can no longer authenticate, and their files stay put.

bash
sudo grep contractor1 /etc/shadow    # before
sudo usermod -L contractor1
sudo grep contractor1 /etc/shadow    # note the leading ! on the hash
ls -ld /home/contractor1             # files still there

# to unlock later: sudo usermod -U contractor1

The service account

A service account runs software, not a person. No home, no interactive shell, an explicit UID.

bash
sudo useradd -u 9100 -M -s /sbin/nologin -c "Analytics Service Agent" svc_analytics
id svc_analytics
grep svc_analytics /etc/passwd
ls /home/svc_analytics 2>&1    # should error, no home was created

sudo su - svc_analytics        # 'This account is currently not available.'

-M skips the home directory, -s /sbin/nologin refuses interactive login while still letting the service run as the user.

The -aG versus -G trap

The single most common usermod mistake, shown on purpose so you never make it for real.

bash
sudo usermod -G ops contractor2    # WITHOUT -a
id contractor2    # now ONLY in ops, lost developers and contractors

# fix it by re-adding the groups, correctly this time
sudo usermod -aG developers,contractors contractor2
id contractor2

# remove from a single group cleanly
sudo gpasswd -d contractor2 ops
id contractor2

Exam questions

Write the command first.

Q1. Create user sarah with UID 1600, home /home/sarah, bash shell, primary group users, supplementary group wheel, and set a password.

Q2. Lock dev2 immediately without deleting them, and verify the lock in /etc/shadow.

Q3. Create a service account appd with UID 950, no home, no login shell, and verify it cannot log in interactively.

Answers.

bash
# A1
sudo useradd -u 1600 -m -d /home/sarah -s /bin/bash -g users -G wheel sarah
sudo passwd sarah
# A2
sudo usermod -L dev2
sudo grep dev2 /etc/shadow    # hash starts with !
# A3
sudo useradd -u 950 -M -s /sbin/nologin -c "App daemon" appd
sudo su - appd    # This account is currently not available

Final checklist: confirm everything works

If every check passes, the ticket is done.

bash
# 1. contractor2 in developers and contractors, contractor3 in contractors only
id contractor2; id contractor3

# 2. contractor1 locked (! in shadow), home intact
sudo grep contractor1 /etc/shadow; ls -ld /home/contractor1

# 3. svc_analytics has no home and nologin
grep svc_analytics /etc/passwd

# 4. all three exam commands written from scratch
# 5. tracker entry checked off

Reply to dbadmin1: contractor2 and contractor3 are onboarded, contractor1 is ready to lock with usermod -L whenever you say, and svc_analytics is set up with no home and no interactive login.

next post
Password aging and scoped sudo without locking yourself out