useradd, userdel, usermod -- add, delete, or change a user account


/etc/useradd [-c comment] [-d directory] [-g group] [-G group1,group2,...]
[-m] [-s shell] [-u uid [-o]] [-x "extendedOptionString"] [-X optionsFile]

/etc/userdel [-x "extendedOptionString"] [-X optionsFile] [hostname:]user

/etc/usermod -D [-g group_name] [-s shell] [-x "extendedOptionString"]
[-X optionsFile]

/etc/usermod [-c comment] [-d directory [-m]] [-g group]
[-G group1,group2,...] [-l newname] [-s shell] [-u uid [-o]]
[-x " extendedOptionString"] [-X optionsFile] [hostname:]user


With no options specified useradd creates a user account on the local system.

Users can be created in one of three locations:

If a user account already exists locally when an NIS version of that account is created, the local account is removed from the system. If an NIS version of an account already exists when a local version is created, the remote account is not deleted. If you wish to delete the remote account, you must do so before adding the local account of the same name.

userdel deletes the specified user account from the User Account and Group Account databases. userdel is only valid when the Low or Traditional security profiles are configured (or the SECLUID kernel parameter is set to zero). Otherwise, accounts should be retired rather than removed, as described in ``Removing or retiring a user account'' in the System Administration Guide.

usermod modifies one or more of the attributes associated with the specified account.

A user name has a limit of 8 lowercase letters or numbers, but must not begin with a number. In addition, user names cannot include colons (:) (aside from the hostname:user syntax used to create a remote account) or newlines.

For distributed accounts, only the user name, comment, password, login shell, home directory, login group, group membership, password, and lock status are valid across the network. For example, you cannot set the maximum number of failed login attempts for a distributed user on a remote system (it only takes effect on the master server).

When adding users to a group that is both local and distributed, users will be placed in the local group. To add users to a distributed group, use groupmod(ADM).


The following options are supported by useradd and usermod:

-c comment
Specify a text string of no more than 512 characters. Must not contain colons (:) or newlines.

-d directory
Specify the new home directory of the user. If the home directory is being changed, the contents of the previous home directory are only modified if -m is specified. Directory names must not contain colons (:) or newlines and must not begin with a period.

-g group
Specify the primary group membership of a new user in the User Account database and may define the account as a member of the specified group in the Group Account database. The value can be the GID or the group name. If numeric, the group need not yet exist in the Group Account database.

-G groups
Specify a set of existing group names or GIDs, from the Group Account database, contained in a comma-separated character string. This defines the additional groups that a user can access via the sg(C) utility. Duplicates are ignored. An error is displayed for each member of groups that does not exist in the group database.

Create the user home directory if it does not already exist. If the directory already exists, it must be accessible by the user. The home directory is populated with the proper shell environment files found in /usr/lib/mkuser. A mailbox file is created and greetings mail is sent to the user. When used on the usermod command line, -m should not be used without -d.

When used in conjunction with -u, allow the use of a UID already assigned to another account. This option is only valid when the Low or Traditional security profiles are configured (specifically, REUSEUID=TRUE must be present in /etc/default/login).

-s shell
Specify the full pathname of the program that will be used as the user's initial shell program. The shell path must not contain colons (:) or newlines.

-u uid
Specify the user ID of the new user. It must be a positive integer less than 60000. The minimum and maxiumum values are defined in /etc/default/accounts.
The following options are supported by usermod only:

Operate on system defaults instead of an individual user account.

-l newname
Specify the new name of the user to be modified. This option is only valid when the Low or Traditional security profiles are configured (specifically, REUSEUID=TRUE must be present in /etc/default/login).
The following options are supported by useradd, userdel, and usermod:

-x "extendedOptionString"
Specify extended account parameters in the form of attribute-value pairs. See the ``Extended options and option files'' section.

-X optionsFile
Specify the file from which a set of account attributes are to be taken.

Extended options and option files

Extended options use the following syntax:

{ attribute value }

Attributes that are associated with a set of values should use nested braces to enclose the values:

{ attribute { value value } }

When used on the command line, the outermost braces ({ }) must be enclosed in double-quotes (") to prevent intrepretation by the shell. Values containing spaces should be further enclosed in single quotes (').

NOTE: Extended options other than distributed and administrativeLockApplied are not valid for distributed accounts. The remaining parameters can be set on the master server, but they will only have effect on the server.

Option files use the same syntax (without the double-quotes).

Certain account status attributes (such as last successful login time and location) are not listed here, but can be queried with userls(ADM).

The following attributes are available (unless noted otherwise, each is valid with or without the -D option):

When set to 1, the account is locked and prevents a user from logging in. A value of 0 unlocks the account.

A set of flags which indicate which classes of audit event will be collected. The control mask lists the classes of audit records for which the user has non-default behavior. The audit disposition mask lists the classes of audit record for which the user is always audited. When an audit class appears in the control mask and not in the disposition mask it means that the user is never audited for that class. Event values are Default=0, On=1, Off=2.

The set of subsystem authorizations available: mem, terminal, lp, backup, auth, audit, cron, root, sysadmin, passwd, audittrail, backup_create, restore, queryspace, printqueue, printerstat, su, shutdown.

The available subsystem authorizations on the system. This parameter is only valid with the -D option.

Default absolute pathname of parent directory of user's home directory. The home directory itself has the same name as the user. This parameter is only valid with the -D option.

If this attribute is set to 1, then the account is distributed via NIS. If 0, it is not distributed. (NIS must be configured for accounts to be distributed.)

The list of supplemental groups associated with a user.

Indicates that inconsistencies between the TCB and System V account databases should result in a lockout that prevents users from logging in until the problem is corrected. This parameter is only valid with the -D option.

The time at which a user last logged off the system.

The device from which an account last successfully logged out.

The login group associated with an account.

The maximum number of consecutive unsuccessful login attempts allowed before an account is locked.

The largest numeric identifier assigned to a new user by default. This parameter is only valid with the -D option.

The largest numeric identifier that can be assigned to a user. This parameter is only valid with the -D option.

The smallest numeric identifier assigned to a new user by default. This parameter is only valid with the -D option.

The smallest numeric identifier that can be assigned to a user. This parameter is only valid with the -D option.

The permission bits associated with a home directory.

The next available pw_uid in the range of minUid to maxUid. This parameter is only valid with the -D option.

The scheduling priority of user processes (established by login). See nice(C) for more information.

The account name of a user who is held responsible for use of the account. This is only valid for accounts of type pseudo and root.

If this attribute is set to 1, then a password is verified using the configured password checking. If the password is found to be invalid, it is rejected.

If this attribute is set to 1, then a user is allowed to choose a password. If set to 0, then a password is supplied by the password generator (or the administrator).

The interval of time, in days, since a password was last changed until the authentication process requires that a new password be chosen.

The length of passwords produced by the password generator.

The interval of time, in days, since a password was last changed before the account is locked.

The minimum interval of time, in days, which must pass between password changes.

If this attribute is set to 1, the authentication process does not prompt the user for a password if the password attribute is currently set to NULL. If the attribute is set to 0, then the user is prompted for a password during authentication regardless of the current value of the password attribute. Note that other attributes may still prevent the user from gaining access to an account.

If this attribute is set to 1, a password can be generated by the user. If set to 0, the user must create their own password.

The number of characters (divided by 8) considered significant in password comparisons. For example, if passwdSignificantSegments was set to 1, then 8 characters would be significant, so login would match an entered password of abcd1234 with a stored password of abcd12345. The range is 1 to 10. This parameter is only valid with the -D option.

The account name of a user who may change the password of the account without needing subsystem authorization.

The set of initial kernel privileges set by login. The privileges are: suspendaudit, configaudit, writeaudit, execsuid, setguid, chown.

The home directory of an account.

The group number associated with an account.

The login shell of a user.

The numeric identifier for an account. This parameter is not valid with the -D option.

Indicates that values from the Protected Password database and the System default database are used in preference to the value of attributes duplicated in /etc/passwd, /etc/shadow and various /etc/default files when a discrepancy is detected. This parameter is only valid with the -D option.

The user type classification (a non-functional label). The values are: root, operator, sso, administrator, pseudo, general, retired. Normal user accounts are assigned the type general, and system accounts the type pseudo. The label retired is used only for accounts that have been retired.

Exit values

Upon completion, these utilities exit with one of the following values:

The action was successful.

An error occurred.


The following command creates a distributed user account, mavrac, with a UID of 1600, a login group of type41, and a login shell of csh:

useradd -u 1600 -s /bin/csh -g type41 -x "{distributed 1}" mavrac

This command creates a remote user, nathanb, on a remote machine obie:

useradd nathanb:obie

This command changes the maximum number of failed login attempts for user mavrac to eight:

usermod -x "{maxLoginAttempts 8}" mavrac

This command changes the set of default authorizations for users who have not been assigned individual values:

usermod -D -x "{auths {mem lp cron} }"


The length of shell and home pathnames is limited by the maximum path length supported by the filesystem on which the shell and home directory reside. This is determined by pathconf(S).

There is no limit to the comment entry length other than that an /etc/passwd file entry must not exceed 1024 characters in total length.


password file

group file

Protected Password database

Subsystem Authorizations database

user/group account creation defaults

See also

groupadd(ADM), groupls(ADM), userls(ADM), pathconf(S)

Standards conformance

useradd is conformant with AT&T SVID Issue 2.

© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003