You have inherited a server, taken over a project, or just need to audit who has access. The first question: who has an account on this machine?
Linux stores user information in a few well-defined places. Once you know where to look, listing users, checking their groups, and managing accounts becomes straightforward.
Quick Reference
| Task | Command |
|---|---|
| List all users | cat /etc/passwd |
| List usernames only | cut -d: -f1 /etc/passwd |
| List human users only | awk -F: '$3 >= 1000 {print $1}' /etc/passwd |
| List all users (including LDAP/AD) | getent passwd |
| Check a specific user | id username |
| List groups for a user | groups username |
| List who is logged in | who or w |
| List recent logins | last |
Understanding /etc/passwd
Every user account on a Linux system has an entry in /etc/passwd. Despite the name, this file does not contain passwords (those are in /etc/shadow, which requires root access).
cat /etc/passwdEach line follows this format:
username:x:UID:GID:comment:home_directory:shellExample:
eric:x:1000:1000:Eric Lonsdale:/home/eric:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologinThe seven fields are:
- Username — the login name
- Password placeholder — always
x(actual hash is in /etc/shadow) - UID — user ID number (0 = root, 1-999 = system accounts, 1000+ = human users)
- GID — primary group ID
- Comment/GECOS — full name or description
- Home directory — the user’s home folder
- Shell — the login shell (
/bin/bashfor interactive users,/usr/sbin/nologinfor service accounts)
List All Usernames
The full /etc/passwd output is noisy. To see just the usernames:
cut -d: -f1 /etc/passwdThis cuts each line at the colon delimiter and prints field 1 (the username).
Alternative using awk:
awk -F: '{print $1}' /etc/passwdBoth produce the same result. Use whichever you remember.
List Human Users Only (Filter System Accounts)
Most Linux systems create dozens of system accounts (www-data, nobody, systemd-network, etc.). To see only real human user accounts, filter by UID 1000 or higher:
awk -F: '$3 >= 1000 && $3 < 65534 {print $1}' /etc/passwdThis works because:
- UID 0 = root
- UID 1-999 = system and service accounts
- UID 1000+ = human users created with
useraddoradduser - UID 65534 =
nobody(excluded)
You can also use compgen if you just want a quick list:
compgen -uThis lists all users the system knows about, including those from external sources like LDAP.
List Users Including LDAP and Active Directory
If your server is joined to Active Directory or uses LDAP for authentication, /etc/passwd only shows local accounts. To see all users the system can authenticate:
getent passwdThe getent command queries the Name Service Switch (NSS), which includes local files, LDAP, SSSD, and Active Directory. The output format is identical to /etc/passwd.
To check a specific user:
getent passwd ericIf the user exists (locally or via LDAP/AD), you will see their entry. If not, no output and a non-zero exit code.
Check a Specific User's Details
The id command shows everything about a user in one line:
id ericOutput:
uid=1000(eric) gid=1000(eric) groups=1000(eric),4(adm),27(sudo),999(docker)This tells you:
- Their UID and primary group
- Every group they belong to (including sudo, docker, etc.)
For just the groups in a readable format:
groups ericOutput:
eric : eric adm sudo dockerSee Who Is Currently Logged In
To see active sessions:
# Simple list
who
# Detailed (includes load average, idle time, what they are running)
wExample w output:
14:23:01 up 42 days, 3:15, 2 users, load average: 0.15, 0.10, 0.08
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
eric pts/0 192.168.1.50 14:20 0.00s 0.03s 0.00s w
deploy pts/1 10.0.0.5 09:15 5:08m 0.01s 0.00s -bashTo see recent login history:
# Last logins
last
# Last 10 logins
last -n 10
# Failed login attempts (requires root)
sudo lastbSecurity tip: Run last regularly to spot unexpected logins. On a server, you should recognise every IP address that connects. If you do not, investigate immediately.
Managing User Accounts
Add a New User
# Interactive (creates home dir, sets shell, prompts for password)
sudo adduser newuser
# Non-interactive (minimal, no home dir by default)
sudo useradd newuser
# Non-interactive with home dir and bash shell
sudo useradd -m -s /bin/bash newuser
sudo passwd newuserRecommendation: Use adduser on Debian/Ubuntu for interactive setup. Use useradd with flags in scripts for automation.
Add a User to a Group
# Add to sudo group (gives admin privileges)
sudo usermod -aG sudo username
# Add to docker group (run Docker without sudo)
sudo usermod -aG docker usernameThe -a flag means append. Without it, usermod -G replaces all secondary groups, which can lock users out of sudo. Always use -aG.
Remove a User
# Remove user but keep their home directory
sudo userdel username
# Remove user AND their home directory
sudo userdel -r usernameLock and Unlock Accounts
# Lock (disable login without deleting)
sudo usermod -L username
# Unlock
sudo usermod -U username
# Check if locked (look for ! before the password hash)
sudo passwd -S usernameLocking is better than deleting when you need to disable access temporarily or preserve the user's files and audit trail.
Useful One-Liners
# Count total users on the system
wc -l /etc/passwd
# Count human users only
awk -F: '$3 >= 1000 && $3 < 65534' /etc/passwd | wc -l
# List users with sudo access
getent group sudo
# List users with shell access (can log in)
grep -v '/nologin\|/false' /etc/passwd | cut -d: -f1
# Find users who have never logged in
lastlog | grep "Never logged in"
# List all groups on the system
cut -d: -f1 /etc/groupQuick User Audit Script
Here is a script you can drop onto any server for a fast user audit:
#!/bin/bash
echo "=== System: $(hostname) ==="
echo "=== Date: $(date) ==="
echo ""
echo "--- Human Users (UID >= 1000) ---"
awk -F: '$3 >= 1000 && $3 < 65534 {printf " %-20s UID:%-6s Shell:%s\n", $1, $3, $7}' /etc/passwd
echo ""
echo "--- Users With Sudo Access ---"
getent group sudo | cut -d: -f4 | tr ',' '\n' | sed 's/^/ /'
echo ""
echo "--- Currently Logged In ---"
who | sed 's/^/ /'
echo ""
echo "--- Last 5 Logins ---"
last -n 5 | head -5 | sed 's/^/ /'Why This Matters
User management is a daily sysadmin task:
- Onboarding -- create accounts, assign groups, set permissions
- Offboarding -- disable or remove accounts when people leave (a common security audit finding)
- Incident response -- check who is logged in, review login history, identify compromised accounts
- Compliance -- auditors want to see that access is reviewed regularly and stale accounts are removed
- Automation -- Ansible playbooks that manage users across fleets need these same commands under the hood
Next Steps
- Check Your Linux Version -- know what OS and kernel you are running
- Scripting Fundamentals -- automate user management with Bash scripts
- Linux Fundamentals Series -- the full series from basics to job-ready
- Secure Linux Servers with Ansible -- automate security hardening including user account policies
ReadTheManual is run, written and curated by Eric Lonsdale.
Eric has over 20 years of professional experience in IT infrastructure, cloud architecture, and cybersecurity, but started with PCs long before that.
He built his first machine from parts bought off tables at the local college campus, hoping they worked. He learned on BBC Micros and Atari units in the early 90s, and has built almost every PC he’s used between 1995 and now.
From helpdesk to infrastructure architect, Eric has worked across enterprise datacentres, Azure environments, and security operations. He’s managed teams, trained engineers, and spent two decades solving the problems this site teaches you to solve.
ReadTheManual exists because Eric believes the best way to learn IT is to build things, break things, and actually read the manual. Every guide on this site runs on infrastructure he owns and maintains.
Enjoyed this guide?
New articles on Linux, homelab, cloud, and automation every 2 days. No spam, unsubscribe anytime.