This article introduces the Linux usermod command and how you can use it for administration in order to manage the users of the machine. The command is especially useful for corporate Linux servers.
The usermod command in my experience is one of the nicer Linux commands you can rely on, but be warned that if you do it wrong some poor user is going to have something drastic done to their account, so always be careful with what you do using it and always double check your commands.
The usermod command does exactly what it says on the tin: it modifies a user. In order to do this, you will of course need to be using the root account (or an account which can administer other users), so from here on out be careful.
So what kind of awesome things can be done with usermod you ask? Well you can set a new home directory, set an account expiration date, lock the account, unlock the account, and set a new login shell for the user. I will show you a couple of examples in the next section.
It’s all well and good me telling you what you can do with usermod, but I'm also going to have to give you some examples of how exactly to do things so that everything plays well. The first example I am going to show you is a simple account lock.
Let’s say that you do not want the user "bob" to get into his account again because he is suspected of doing something to the system. To make sure he cannot get back in you need to use:
usermod -L bob
The command will then lock "bob" out of the system. Now let’s say an administrator clears Bob's name and now needs to unlock his account so he can log in again:
usermod -U bob
Let’s say that Bob now wants to move his virtual home on the system, just use:
usermod -d /home/newbob bob
But of course bob wants all his possessions taken with him so he would use:
usermod -m -d /home/newbob bob
This will copy all of Bob’s old files and configurations into the new home directory. This is also useful for experimenting with files and not breaking the initial home directory. In order to ensure complete compatibility you may also need to change bob's login name to newbob:
usermod -l newbob bob
A few other things
A few other things can also be done using usermod, one of which is managing account expiration, and you can use the -e flag for that one, for example:
usermod -e 2010-08-01 bob
The command above will make bob's account become disabled on that date. You can also change the groups of a user or drop all of the groups except the ones you specify (be careful with this one!)
usermod -G admin bob
will drop all of the groups except admin from bob; do not just use usermod -G if you are the lone administrator (because you will not be able to use sudo anymore, which as you can probably imagine is a nightmare).
There may be some circumstances where you may need to change the login shell of a user, and I can think of a few already. Whenever you are setting up an account to use another service and not actually log into the shell (for example an FTP account) it is always a good idea to run this:
usermod -s /bin/false ftp
This will ensure ftp gets rejected any time they tries to access the shell though SSH or telnet or other similar protocols, but will still allow them to manage non-shell stuff such as the FTP protocol and the HTTP protocol.