Linux useradd command

Updated: 12/29/2017 by Computer Hope

• About useradd
• useradd syntax
• useradd examples
• Related commands
• Linux and Unix commands help

About useradd
useradd creates a new user or sets the default information for new users.

Description
useradd is a low-level utility for adding users to a system. In general, the more friendly adduser
should be used instead.
Your operating system may come with a slightly different version of useradd; check your
documentation before using it to create new accounts. This documentation refers to some options
frequently used on Debian-based variants of Linux, but is representative of useradd's general use.
When invoked without the -D option, the useradd command creates a new user account using the
values specified on the command line plus the default values from the system. Depending on command
line options, the useradd command will update system files and may also create the new user's home
directory and copy initial files.
By default, a group will also be created for the new user (see the -g, -N, -U options, and the
USERGROUPS_ENAB variable, below).

useradd syntax
useradd [options] LOGIN

useradd -D

useradd -D [options]

Options
-c, --comment COMMENT can be any text string. It is generally a short description of the
COMMENT login, and is currently used as the field for the user's full name.
The new user will be created using HOME_DIR as the value for the user's login
-d, --home directory. The default is to append the LOGIN name to BASE_DIR and use that
HOME_DIR as the login directory name. The directory HOME_DIR does not have to exist
but will not be created if it is missing.
Set new default values. See the section on Changing New User Default Values,
-D, --defaults
below.
The date on which the user account will be disabled. The date is specified in the
format YYYY-MM-DD.
-e, --expiredate
EXPIRE_DATE If not specified, useradd will use the default expiry date specified by the
EXPIRE variable in /etc/default/useradd, or an empty string (no expiry) by
default.
The number of days after a password expires until the account is permanently
disabled. A value of 0 disables the account as soon as the password has expired,
-f, --inactive and a value of -1 disables the feature.
INACTIVE
If not specified, useradd will use the default inactivity period specified by the
INACTIVE variable in /etc/default/useradd, or -1 by default.
The group name or number of the user's initial login group. The group name
must exist. A group number must refer to an already existing group.

If not specified, the behavior of useradd will depend on the

USERGROUPS_ENAB variable in /etc/login.defs. If this variable is set to yes
-g, --gid GROUP
(or -U/--user-group is specified on the command line), a group will be created
for the user, with the same name as her loginname. If the variable is set to no (or
-N/--no-user-group is specified on the command line), useradd will set the
primary group of the new user to the value specified by the GROUP variable in
/etc/default/useradd, or 100 by default.
-G, --groups A list of groups containing the user as a member. Each group is separated from
GROUP1[,GROUP2, the next by a comma, with no intervening whitespace. The groups are subject to
...[,GROUPN]]] the same restrictions as the group given with the -g option. The default is for the
 user to belong only to the initial group.
-h, --help Display a help message, and exit.
SKEL_DIR is the skeleton directory, which contains files and directories to be
copied in the user's home directory, when the home directory is created by
useradd.

This option is only valid if the -m (or --create-home) option is specified.

-k, --skel SKEL_DIR
If this option is not set, the skeleton directory is defined by the SKEL variable
in /etc/default/useradd or, by default, /etc/skel.

If possible, the ACL and extended attributes are copied.

Overrides /etc/login.defs defaults (UID_MIN, UID_MAX, UMASK,
PASS_MAX_DAYS and others).
-K, --key
Example: -K PASS_MAX_DAYS=-1 can be used when creating system
KEY=VALUE
account to turn off password aging, even though system account has no
password at all. Multiple -K options can be specified, for example: -K
UID_MIN=100 -K UID_MAX=499
Do not add the user to the lastlog and faillog databases.

By default, the user's entries in the lastlog and faillog databases are resetted to
-l, --no-log-init avoid reusing the entry from a previously deleted user.

For the compatibility with previous versions of useradd, the -O option is also
supported for this purpose.
Create the user's home directory if it does not exist. The files and directories
contained in the skeleton directory (which can be defined with the -k option)
will be copied to the home directory.
-m, --create-home
By default, if this option is not specified and CREATE_HOME is not enabled,
no home directories are created.
Do no create the user's home directory, even if the system wide setting from
-M
/etc/login.defs (CREATE_HOME) is set to yes.
Do not create a group with the same name as the user, but add the user to the
group specified by the -g option or by the GROUP variable in
/etc/default/useradd.
-N, --no-user-group
The default behavior (if the -g, -N, and -U options are not specified) is defined
by the USERGROUPS_ENAB variable in /etc/login.defs.
Allow the creation of a user account with a duplicate (non-unique) UID.
-o, --non-unique
This option is only valid in combination with the -u option.
-p, --password The encrypted password, as returned by crypt. The default is to disable the
PASSWORD password.

Note: This option is not recommended because the password (or encrypted
 password) will be visible by users listing the processes (for example, with the ps
command).

You should make sure the password respects the system's password policy.
Create a system account.

System users will be created with no aging information in /etc/shadow, and

their numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX
range, defined in /etc/login.defs, instead of UID_MIN-UID_MAX (and their
-r, --system GID counterparts for the creation of groups).

Note that useradd will not create a home directory for such an user, regardless
of the default setting in /etc/login.defs (CREATE_HOME). You have to
specify the -m options if you want a home directory for a system account to be
created.
-R, --root Apply changes in the CHROOT_DIR directory and use the configuration files
CHROOT_DIR from the CHROOT_DIR directory.
The name of the user's login shell. The default is to leave this field blank, which
-s, --shell SHELL causes the system to select the default login shell specified by the SHELL
variable in /etc/default/useradd, or an empty string by default.
The numerical value of the user's ID. This value must be unique, unless the -o
option is used. The value must be non-negative. The default is to use the
smallest ID value greater than or equal to UID_MIN and greater than every
-u, --uid UID
other user.

See also the -r option and the UID_MAX description.

Create a group with the same name as the user, and add the user to this group.
-U, --user-group
The default behavior (if the -g, -N, and -U options are not specified) is defined
by the USERGROUPS_ENAB variable in /etc/login.defs.
-Z, --selinux-user The SELinux user for the user's login. The default is to leave this field blank,
SEUSER which causes the system to select the default SELinux user.

Changing New User Default Values

When invoked with only the -D option, useradd will display the current default values. When invoked
with -D plus other options, useradd will update the default values for the specified options.
Valid default-changing options are:

The path prefix for a new user's home directory. The user's name will be affixed to
the end of BASE_DIR to form the new user's home directory name, if the -d option
-b, --base-dir
is not used when creating a new account.
BASE_DIR
This option sets the HOME variable in /etc/default/useradd.
The date on which the user account is disabled.
-e, --expiredate
EXPIRE_DATE
This option sets the EXPIRE variable in /etc/default/useradd.
 The number of days after a password has expired before the account will be
-f, --inactive disabled.
INACTIVE
This option sets the INACTIVE variable in /etc/default/useradd.
The group name or ID for a new user's initial group (when the -N/--no-user-group
is used or when the USERGROUPS_ENAB variable is set to no in
/etc/login.defs). The named group must exist, and a numerical group ID must have
-g, --gid GROUP
an existing entry.

This option sets the GROUP variable in /etc/default/useradd.

The name of a new user's login shell.
-s, --shell SHELL
This option sets the SHELL variable in /etc/default/useradd.

Notes
The system administrator is responsible for placing the default user files in the /etc/skel/ directory (or
any other skeleton directory specified in /etc/default/useradd or on the command line).

Caveats
You may not add a user to a NIS or LDAP group. This must be performed on the corresponding server.
Similarly, if the username already exists in an external user database such as NIS or LDAP, useradd
will deny the user account creation request.
It is usually recommended to only use usernames that begin with a lower case letter or an underscore,
followed by lower case letters, digits, underscores, or dashes. They can end with a dollar sign. The
regular expression which describes a valid username is:
[a-z_][a-z0-9_-]*[$]?
The only constraints are that usernames must neither start with a dash ('-') nor plus ('+') nor tilde ('~')
nor contain a colon (':'), a comma (','), or a whitespace (space: ' ', end of line: '\n', tab: '\t', etc.). Note
that using a slash ('/') may break the default algorithm for the definition of the user's home directory.
Usernames may only be up to 32 characters long.

Configuration
The following configuration variables in /etc/login.defs change the behavior of this tool:

name type description

Indicate if a home directory should be created by default for new users.
CREATE_HO
boolean
ME This setting does not apply to system users, and can be overridden on the
command line.
GID_MAX, number Range of group IDs used for the creation of regular groups by useradd,
 groupadd, or newusers.
GID_MIN
The default value for GID_MIN is 1000; the default for GID_MAX is
60000.
The mail spool directory. This is needed to manipulate the mailbox when its
MAIL_DIR string corresponding user account is modified or deleted. If not specified, a
compile-time default is used.
Defines the location of the users mail spool files relatively to their home
MAIL_FILE string
directory.
The MAIL_DIR and MAIL_FILE variables are used by useradd, usermod, and userdel to create,
move, or delete the user's mail spool.

Maximum members per group entry. When the maximum is reached,

a new group entry (line) is started in /etc/group (with the same name,
same password, and same group ID).

The default value is 0, meaning that there are no limits in the number
of members in a group.

MAX_MEMBERS_P This feature (split group) can help to limit the length of lines in the
number
ER_GROUP group file. This is useful to make sure that lines for NIS groups are
not larger than 1024 characters.

If you need to enforce such limit, you can use 25.

Note: split groups may not be supported by all tools, even advanced
tools like the Shadow toolsuite. You should not use this variable
unless you really need it.
The maximum number of days a password may be used. If the
PASS_MAX_DAYS number password is older than this, a password change will be forced. If not
specified, -1 will be assumed (which disables the restriction).
The minimum number of days allowed between password changes.
PASS_MIN_DAYS number Any password changes attempted sooner than this will be rejected. If
not specified, -1 will be assumed (which disables the restriction).
The number of days warning given before a password expires. A zero
means warning is given only upon the day of expiration, a negative
PASS_WARN_AGE number
value means no warning is given. If not specified, no warning will be
provided.
Range of group IDs used for the creation of system groups by
useradd, groupadd, or newusers.
SYS_GID_MAX,
number
SYS_GID_MIN
The default value for SYS_GID_MIN is 101; the default value for
SYS_GID_MAX is GID_MIN minus 1.
SYS_UID_MAX, number Range of user IDs used for the creation of system users by useradd
SYS_UID_MIN or newusers.

The default value for SYS_UID_MIN is 101; the default value of

 SYS_UID_MAX is UID_MIN minus 1.
Range of user IDs used for the creation of regular users by useradd
or newusers.
UID_MAX,
number
UID_MIN
The default value for UID_MIN (resp. UID_MAX) is 1000 (resp.
60000).
The file mode creation mask is initialized to this value. If not
specified, the mask will be initialized to 022. useradd and newusers
UMASK number
use this mask to set the mode of the home directory they create. It is
also used by pam_umask as the default umask value.
If set to yes, userdel will remove the user's group if it contains no
USERGROUPS_EN
boolean more members, and useradd will create by default a group with the
AB
name of the user.

Files
/etc/passwd User account information.
/etc/shadow Secure user account information.
/etc/group Group account information.
/etc/gshadow Secure group account information.
/etc/default/useradd Default values for account creation.
/etc/skel/ Directory containing default files.
/etc/login.defs Shadow password suite configuration.

Exit Status
useradd exits with the following status, depending on what occurred:

0 Everything was completed successfully.

1 Couldn't update the password file.
2 The syntax of the command was invalid.
3 One or more options were given an invalid argument.
4 User ID is already in use, and -o was not specified.
6 Specified group doesn't exist.
9 Username already in use.
10 Couldn't update the group file.
12 Couldn't create the home directory.
14 Couldn't update SE Linux user mapping.

useradd examples
Note: For these commands to work you must have root privileges.
useradd -D

Displays the defaults for new users. Output resembles the following:
GROUP=1001
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=no

useradd newperson

Creates newperson as a new user. Once the new user has been added, you would need to use the
passwd command to assign a password to the account.
Once a user has been created, you can modify any of the user settings, such as the user's home
directory, using the usermod command.