[TriLUG] stupid user management question

Aaron S. Joyner aaron at joyner.ws
Thu Nov 18 17:13:36 EST 2004 

Blackburn, Marvin wrote:

>I am new to the shadow password file processing and Have a question.
>How do I properly change a users primary group.
>
>Can I just enter it into the /etc/passwd file?
>How do the changes get propogated to /etc/shadow and /etc/gshadow?
>
>Any help would be appreciated.
>I am running redhat as 2.1
>
>------------------
>Marvin Blackburn
>Systems Administrator
>Glen Raven
>"He's no failure.  He's not dead yet" --William Lloyd George  
>  
>
To the best of my knowledge, there is no information that actually 
directly pertains to a user's primary group stored in /etc/shadow, 
/etc/gshadow, or even /etc/group for that matter.  The name and ID of 
every group is stored in the /etc/group and /etc/gshadow files, but the 
only danger there is "orphaned" groups.  You can safely change the 
user's primary group by changing the 4th field in the /etc/passwd file.  
If you are effectively removing that group entirely, you may wish to 
remove it from /etc/group and /etc/gshadow, or if you want the group to 
remain you can leave it in those two files with no ill effect.  You will 
only need to modify gpasswd and gshadow if you're getting into advanced 
group management - if that's the case check out the gpasswd man page.

Having said that, there is a command which handles this type of 
operation for you.  You can use "usermod -g <newgroup> <userid>" to 
change a user's primary group, and it will handle changing the 
appropriate files.  Note that if you remove a user, and are using 
"usergroups" (USERGROUPS_ENAB is set in /etc/login.defs - such that all 
users are created by default belonging to a single group of their own 
username) then userdel will remove that group - only if there are no 
other members of it.  So if you follow these steps:
useradd foo     # Adds a user named foo
usermod -g users foo     # Changes foo's primary group to users
userdel foo     # Deletes foo, and the usergroup foo that was created 
when the user was

Interestingly enough, the second step above does not delete the group 
foo - which I think is a nice feature.  He can still belong to that 
group, if you add it as an optional group for his user, but you may not 
desire for that to be his *primary* group.

If that doesn't clear it up sufficiently, as always, ask more!  :)

Aaron S. Joyner

PS - For the record, is your subject referring to the act of managing 
them, or the users themselves?  It wasn't clear.
--Your friendly BOFH

More information about the TriLUG mailing list