Run a focused admin workflow: create groups, provision users with primary and secondary group control, adjust memberships safely, set a password, inspect and change account expiration, then clean up users and groups to return the host to a known state.
Ops needs a quick admin run: create groups, provision users, adjust memberships, set passwords, verify account aging, simulate an expiration issue, then clean up.
This lab emphasizes safe user and group changes with verification. You will avoid partial edits,
validate results with id and chage, and always return the system to a clean state.
/etc/passwd)
and zero or more secondary groups (stored in /etc/group).
usermod -aG to append secondary groups without
overwriting existing memberships.
gpasswd -d removes a user from a specific group without touching
other groups.
id <user> confirms group membership after each change.
chage manages aging policy and expiration;
usermod -e can also set the account expiration date.
userdel -r and removing created groups
prevents lab residue from polluting later labs.
Create the groups administrators and developers.
sudo groupadd administrators
sudo groupadd developersGroup creation requires elevated privileges. On success, there is typically no output.
sudo useradd -G administrators,developers kevin
-G sets secondary groups at creation. The user’s primary group will be created automatically
(user private group behavior can vary by distro policy, but this lab focuses on group membership control).
sudo groupadd designers
sudo groupmod -n web-designers designers
sudo usermod -aG web-designers kevin
Without -a, usermod -G replaces the entire secondary group list.
Always use -aG when you mean “append.”
sudo gpasswd -d kevin developers
id kevinRemoving user kevin from group developers
uid=1001(kevin) gid=1001(kevin) groups=1001(kevin),1000(administrators),1003(web-designers)sudo passwd kevinChanging password for user kevin.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.sudo chage -l kevin
sudo chage -E 2022-12-31 kevin
sudo usermod -e 2022-12-31 kevinLast password change : Aug 20, 2025
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7You can set expiration using two different admin interfaces. In practice you choose one standard, but you should recognize both during troubleshooting.
sudo useradd -u 1050 -g administrators emma
sudo usermod -aG developers,web-designers emma
-u pins the UID. -g sets the primary group. Then you append secondary groups.
sudo usermod -s /bin/sh emmaShell changes should be deliberate. Restrict shells only when you understand how it affects user workflows.
If you forgot -a, your user may lose prior memberships. Re-add groups using
sudo usermod -aG ..., then verify with id.
Verify membership first with id kevin. Remove only when the user is actually listed in that group.
If password policy blocks the change, check configured PAM quality rules. If the account is locked,
inspect with passwd -S kevin and correct lock state intentionally.
Use ISO format YYYY-MM-DD. If you get unexpected results, confirm with
sudo chage -l kevin.
Return the system to a clean baseline by deleting created users and groups.
sudo userdel -r emma
sudo userdel -r kevin
sudo groupdel administrators
sudo groupdel developers
sudo groupdel web-designers
id kevin and id emma fail (users removed), and getent group for the created groups
returns no output.
groupadd <group>: create a new group.
groupmod -n <new> <old>: rename an existing group.
useradd -G g1,g2 <user>: create a user with secondary groups.
-G: sets the initial secondary group list.useradd -u <uid> -g <group> <user>: create a user with a specific UID and primary group.
-u: sets the UID.-g: sets the primary group.usermod -aG g1,g2 <user>: append secondary groups without overwriting.
-a: append mode.-G: group list.gpasswd -d <user> <group>: remove a user from a specific group.
id <user>: display UID, primary group, and secondary groups.
passwd <user>: set or change a user password.
chage -l <user>: display account aging and expiration.
chage -E <date> <user>: set account expiration date.
-E: expire date (use YYYY-MM-DD).usermod -e <date> <user>: set account expiration date.
-e: expire date (use YYYY-MM-DD).usermod -s <shell> <user>: change login shell.
-s: set the shell.userdel -r <user>: delete a user and their home directory.
-r: remove the home directory and mail spool.groupdel <group>: delete a group.