PublishedJune 15, 2026

How To Create A New Linux User And Add Them To Specific Groups

Q: What is the difference between useradd and adduser in Linux?

The useradd and adduser commands are both used to create new user accounts, but they differ in usability and customization. useradd is a low-level utility that offers more direct control, requiring explicit options for setting up home directories, groups, and shells. In contrast, adduser is a friendlier, more interactive script that prompts for necessary information and sets up the account with sensible defaults. It is generally easier for beginners but may not offer the same level of customization as useradd.

Ready to start learning?

Individual Plans →Team Plans →

▼

By ITU Online Editorial Team

IT training provider since 2012, specializing in CompTIA, Cybersecurity, Project Management, Cisco, Microsoft, AWS, Azure, and Cloud certifications.

Published June 15, 2026

When you need to linux make new user accounts and place them into the right user groups, the details matter. A wrong primary group, a missing -a flag, or a forgotten home directory can turn a simple Linux user management task into a permission problem that wastes time on the command line and slows down system administration.

Quick Answer

To create a new Linux user and add them to specific groups, use useradd or adduser to create the account, set a primary group with -g if needed, add supplementary groups with usermod -aG, then verify membership with id and groups. On most systems, group changes take effect after the user re-logs in.

Quick Procedure

Create the required group with groupadd if it does not already exist.
Create the user with useradd or adduser.
Set a home directory and shell during account creation.
Assign a primary group with -g when the account needs one.
Add supplementary groups with usermod -aG.
Set the password with passwd.
Verify the result with id, groups, and a file access test.

Primary Commands	`useradd`, `adduser`, `usermod`, `groupadd`, `passwd`
Typical Account Files	`/etc/passwd`, `/etc/group`, `/etc/shadow`
Primary Group Behavior	Defines the default group ownership for new files
Supplementary Groups	Grant additional access without changing the primary group
Verification Commands	`id`, `groups`, `getent group`
Session Requirement	Group changes usually apply after re-login as of June 2026

Understanding Linux Users And Groups

A Linux user account is an identity the operating system uses for ownership, permissions, and login behavior. A group account is a collection of users that share access rules, which makes it easier to manage files, directories, and administrative privileges on a busy server.

The key difference is simple: users represent individuals or service identities, while groups represent shared access boundaries. In Linux user management, the primary group usually controls the default group ownership of newly created files, while supplementary groups add extra access such as sudo, shared project folders, or container tooling.

Primary Group Versus Supplementary Groups

Every account has one primary group, even if that group is just a private group named after the user. Supplementary groups are extra memberships that let the same account reach more resources without changing the account’s base identity.

That distinction matters in real environments. For example, a developer might have a primary group of devalice but also belong to docker, sudo, and project-x as supplementary groups.

The Identity Files You Need To Know

Linux stores account data in three core files: Linux uses /etc/passwd for user records, /etc/group for group records, and /etc/shadow for password hashes and aging data. These files are central to access control and should be edited carefully, ideally through account-management commands rather than direct file edits.

When you use the command line tools correctly, the system updates all three files for you. That is safer than hand-editing, and it keeps permissions consistent for local logins, SSH sessions, and service accounts.

“Most permission problems are not caused by Linux being difficult. They are caused by a user being in the wrong group, or the right group at the wrong time.”

Different distributions ship slightly different defaults. For example, some systems favor adduser as an interactive helper, while others provide only the lower-level useradd utility by default. That is normal, and it is one reason administrators should know both workflows.

Official guidance from useradd, usermod, and groupadd explains how these account tools work at the system level, including default group behavior and command flags.

Prerequisites

Before you create a user and assign groups, make sure you have the right access and a clear plan for the account. On a production server, a careless change can affect file ownership, scheduled tasks, and application permissions.

Root access or sudo rights to create accounts and change membership.
A clear username that matches your naming convention.
The target groups already defined, or permission to create them.
Knowledge of the account purpose, such as developer access, shared project access, or service use.
A shell plan, such as /bin/bash for interactive users or /usr/sbin/nologin for service accounts.
Verification access to test the result with id, groups, or a group-owned directory.

If you work in regulated environments, align account changes with formal access control practices. The NIST Cybersecurity Framework and NIST SP 800-53 both emphasize controlled access, least privilege, and traceable identity management.

Creating A New User Account

The most direct way to linux make new user accounts is with useradd. This is a low-level command that creates the account entry, and with the right flags it can also create the home directory, set the shell, and attach the proper default group.

On many distributions, adduser is a friendlier wrapper that asks interactive questions and handles some defaults for you. It is often easier for new administrators, but the underlying account behavior still maps back to the same Linux identity files.

Using useradd

A basic example looks like this:

sudo useradd alice

That creates the account record, but it does not always create a home directory or set a password. For a usable interactive account, you usually want something closer to:

sudo useradd -m -s /bin/bash alice

The -m flag creates /home/alice, and -s sets the default shell. If you forget -m, the account may exist but have no home directory, which becomes a problem for SSH keys, dotfiles, and normal login behavior.

Using adduser Where Available

Some systems provide adduser as a higher-level tool that automatically walks you through password prompts and account details. It is still worth knowing how to use useradd because scripts, minimal servers, and rescue environments often rely on it.

In practice, administrators should know both commands. A desktop install may support adduser neatly, while a hardened server or container image may expose only useradd and related utilities.

Setting The Password And Shell

After account creation, set the password with:

sudo passwd alice

That updates the hash stored in /etc/shadow. If the account is for SSH key access only, you may still set a password policy according to your security rules, but disable password logins at the service level if required.

Choosing the shell matters too. Use /bin/bash or another interactive shell for real users, and use /usr/sbin/nologin or /bin/false for accounts that should not provide a login prompt.

Warning

Do not create a user account and assume it is ready for use. If the home directory, shell, or password is missing, the account may exist in /etc/passwd but still fail at login time.

For official account behavior details, Linux distributions generally follow the documented semantics in useradd and passwd. Those pages are useful when you need to check defaults such as home directory creation and account aging.

Assigning A Primary Group During User Creation

A primary group is the group that owns files the user creates by default. If you do not set one manually, most Linux systems create or assign a private group that matches the username, which keeps user-created files isolated from other accounts.

That default is good for personal accounts. It is not always ideal for team-based work, where shared file ownership or directory collaboration is more important than private ownership.

Setting A Custom Primary Group

Use -g with useradd to assign a specific primary group during creation:

sudo useradd -m -s /bin/bash -g projectteam alice

This tells Linux to make projectteam the account’s primary group. It is useful when all files the user creates should default to a shared project group rather than a private user-specific group.

When To Use A Shared Primary Group

A shared primary group makes sense in environments where multiple users produce files for the same application, lab, or deployment directory. It can simplify collaboration, but it can also broaden file access if the directory permissions are not controlled carefully.

For personal desktops and most general-purpose user accounts, a private primary group is usually safer. For a deployment team working in /srv/projectx, a shared primary group can reduce permission friction if the directory is also managed with the correct setgid bit and group write rules.

A practical example looks like this:

sudo groupadd projectx
sudo useradd -m -s /bin/bash -g projectx jdoe
sudo passwd jdoe

That sequence creates the group first, then creates the user with that group as the primary identity. If your file structure depends on group-owned collaboration, this is cleaner than changing file permissions after the fact.

For administrators aligning with workforce and access frameworks, the CISA least privilege guidance reinforces the same rule: give accounts only the access they need, and nothing more.

Adding A User To Supplementary Groups

Supplementary groups are additional groups that extend access without replacing the primary group. This is the normal way to give a user sudo rights, Docker access, shared folder access, or access to application-specific files.

The key command is usermod -aG. The -a flag means append, and it prevents accidental removal of existing group memberships. Forgetting -a is a common admin mistake that can strip a user out of groups they still need.

Adding Multiple Groups At Once

Use a comma-separated list with no spaces:

sudo usermod -aG sudo,docker,projectx alice

This adds alice to three supplementary groups in one command. If you are managing a developer workstation, that is a common pattern because the user may need administrative access, container access, and project access at the same time.

Common Real-World Group Examples

sudo for controlled administrative elevation.
docker for local container management.
projectx for shared development directories.
www-data in some environments for web-content ownership and testing.

On a system with Docker installed, group membership often controls whether a user can run container commands without typing sudo every time. That is convenient, but it is also a privilege decision, so confirm the group’s purpose before adding users broadly.

Note

New supplementary group membership usually does not appear in the current session immediately. The user often needs to log out and log back in before the shell picks up the updated group list.

For container-related access decisions, official Docker documentation and your internal security standards should guide group use. For access control in general, Access Control should always be based on least privilege, not convenience alone.

Creating The Required Groups First

Groups often need to be created before you can assign users to them. If you try to add a user to a nonexistent group, the command fails and you end up troubleshooting a problem that was really just a missing group object.

Use groupadd to create a group cleanly:

sudo groupadd projectx

That entry appears in /etc/group and becomes available for user assignment. In multi-user environments, descriptive names such as projectx, db-admins, or web-readonly make administration easier than vague names like group1.

Checking That The Group Exists

You can confirm the group with:

getent group projectx

That is often better than reading /etc/group directly because it respects the system’s identity lookup rules. If your environment uses local files, LDAP, or another directory source, getent shows the effective answer.

For official behavior, see the Linux manual page for groupadd. If your organization follows broader identity governance controls, align group creation with policy, not ad hoc naming.

How To Add A User To Specific Groups

To add a user to existing groups, use usermod -aG. This is the safest and most common way to update Linux user management after the account already exists.

Confirm the target groups exist. Run getent group sudo, getent group docker, or getent group projectx before you change the account. If the group is missing, create it first with groupadd.
Add the user to the groups. Use sudo usermod -aG sudo,docker,projectx alice. The comma-separated list is important, and the -a flag prevents removal of existing memberships.
Set or verify the password. Run sudo passwd alice if the account should log in interactively. This is especially important on servers where the user account may have been created without a password as part of a staged rollout.
Refresh the session. Ask the user to log out and log in again, or use a new shell after reauthentication. A current shell may still show the old group list until it reloads the account context.
Check the account record. Run id alice and groups alice. These commands should list the primary group and all supplementary groups that were added.

A shared-server example is straightforward. If a team needs access to /srv/teamdata, create the group, set the directory group ownership, and add the users with usermod -aG teamdata. The user can then work in that directory without changing ownership of every file manually.

For a broader administrative context, Cisco® and Microsoft® identity documentation both emphasize consistent identity and access handling as part of secure operations. Microsoft Learn also provides practical guidance around account and privilege management in Windows and hybrid environments, which is useful when your Linux estate shares identity processes with other platforms.

How To Verify It Worked

Verification is where you catch mistakes before they become tickets. The fastest check is id alice, which prints the user ID, primary group, and supplementary groups in one line.

The groups alice command is also useful because it gives a shorter membership summary. If either command is missing the expected group, the user has not actually been updated the way you intended.

What Good Output Looks Like

You should see the target group names in the output. For example, id alice may show something similar to uid=1002(alice) gid=1005(projectx) groups=1005(projectx),27(sudo),998(docker) depending on your distribution and local IDs.

To test file access, create a group-owned directory and confirm the user can enter it or write to it:

sudo mkdir -p /srv/projectx
sudo chgrp projectx /srv/projectx
sudo chmod 2775 /srv/projectx

The 2 in 2775 sets the setgid bit, which helps new files inherit the directory’s group. That is a practical pattern for collaborative directories.

Common Failure Symptoms

The group does not appear in id. The session likely needs a re-login.
The user cannot write to the directory. The directory ownership or mode bits may be wrong.
The command failed with “group does not exist.” Create the group first.
Existing group access disappeared. Someone probably used usermod -G without -a.

Microsoft’s account-management docs and the Linux manual pages both reinforce a practical truth: the shell does not always refresh group membership automatically. If you need the change immediately for a test, open a new login session instead of assuming the old one is current.

For deeper identity checks, id and groups are the simplest tools because they show the effective account state, not just the configuration you think you applied.

Editing Existing Users Safely

You can modify an existing account with usermod instead of recreating it. That is the correct approach when a user changes roles, joins a new team, or loses access to a project.

To change the primary group, use usermod -g. To add supplementary groups, use usermod -aG. The distinction matters because one changes the base ownership model and the other extends access.

Changing Group Membership Without Breaking Access

Example:

sudo usermod -g projectx -aG sudo,docker alice

That would be a mistake because the command mixes a primary-group change with supplementary-group addition and can become hard to read and manage. In practice, split those actions when possible so you can verify each change independently.

If you need to remove a user from a supplementary group, use a controlled group edit process such as gpasswd -d alice docker or adjust the account membership source your environment uses. Always test removal on a noncritical account first if the group controls production access.

Security-focused frameworks such as NIST control guidance and the CIS Benchmarks both support a disciplined approach to account changes. Do not modify privileged users casually, and do not leave old group memberships in place after a role change.

Common Scenarios And Practical Examples

Real systems rarely need just one account change. Most of the time, you are building a user profile around a work pattern: developer access, shared folder access, or service-only access.

Developer Account With sudo, docker, And A Project Group

This is one of the most common administration tasks on Linux workstations and build servers:

sudo groupadd projectx
sudo useradd -m -s /bin/bash alice
sudo passwd alice
sudo usermod -aG sudo,docker,projectx alice

That account can log in, administer the machine when needed, and work with containers and project files. In a real team, this setup should still be reviewed against your security standard before it becomes the default.

Shared Server User For A Team Directory

If a shared server hosts a team-owned directory, make the group first, then assign users to it. Set the directory to group-write mode and use setgid so new files inherit the right group automatically.

This pattern is common for documentation, code review staging, and application assets. It also keeps ownership predictable when multiple people edit the same content.

Service Account With No Interactive Login

Service accounts should usually not have normal interactive shells. A common pattern is:

sudo useradd -r -s /usr/sbin/nologin -M appsvc

The -r option creates a system account, -s /usr/sbin/nologin blocks interactive access, and -M avoids an unnecessary home directory. This is the right choice when a daemon or scheduled task needs an identity but not a human login.

These scenarios map differently across desktop, lab, and production environments. A personal workstation may tolerate broader group access, while a production server should keep permissions tighter and account changes more formal.

For role design and workforce context, the U.S. Bureau of Labor Statistics continues to report strong demand across computer and information technology occupations, which helps explain why reliable account provisioning is a core operations skill rather than a niche task.

Best Practices For User And Group Management

The safest Linux user management model is simple: grant the least access required, document the reason, and review the result later. That approach reduces accidents and makes audits easier.

Use least privilege. Add only the groups the user truly needs.
Keep group names descriptive. Names should explain purpose, not just sequence.
Review stale accounts. Remove users who no longer need access.
Audit sensitive groups regularly. Pay special attention to sudo, deployment, and data-access groups.
Document changes. Record why a user was added or removed from each group.

In bigger environments, these controls are not optional. They are the difference between manageable access and a permission sprawl that nobody can explain six months later.

Pro Tip

Before bulk changes, export current membership with getent group and keep a dated copy of the output. That gives you a rollback reference if an account update goes sideways.

For enterprise governance, the ISACA COBIT framework supports formal access review and accountability, while the Gartner research library consistently highlights identity control as a core operational security function. Both perspectives reinforce the same admin habit: manage groups intentionally, not reactively.

Troubleshooting Common Issues

If a user still cannot access files after group changes, start with the basics. Check the actual membership list, confirm the file and directory ownership, and make sure the session has been refreshed.

One of the most common mistakes is forgetting that current shells do not always pick up new group membership immediately. Another common error is using the wrong command syntax and accidentally replacing existing supplementary groups.

What To Check First

Re-run id and groups. Confirm the group is really attached to the account.
Check ownership and permissions. Use ls -ld /srv/projectx or the target path. If the directory is owned by the wrong group, membership alone will not fix access.
Verify the shell and home directory. If the shell is invalid or the home directory is missing, login may fail even when the account exists.
Look for typos. A misspelled group name in usermod -aG quietly creates a bad outcome because the user is added to the wrong target or nothing at all.
Check logs. If account creation fails, review system logs such as /var/log/auth.log or journal output with journalctl where available.

If you are working across mixed environments, note that Windows 10/11 identity concepts may feel similar, but the implementation is different. Linux identity management remains file- and group-centric, so commands and verification are the fastest way to diagnose access issues.

For network-oriented troubleshooting, a command like traceroute can help when the user is remote and the problem is not local permissions but connectivity. That is especially relevant when you are testing SSH access from a branch office or VPN segment rather than on the same subnet.

Security operations teams often pair account review with broader monitoring practices. The Verizon Data Breach Investigations Report remains a strong reminder that credential misuse and access mistakes are still common failure points, which is why precise group assignment matters.

How Do You Create A New Linux User And Add Them To Groups?

You create the account with useradd or adduser, set the password with passwd, and add supplementary groups with usermod -aG. If the account needs a specific default ownership model, assign a primary group during creation with -g.

The shortest reliable workflow is: create the group, create the user with a home directory and shell, set the password, add supplementary groups, then verify with id. That sequence works cleanly on most Linux distributions and is the safest approach for day-to-day administration.

What Is The Difference Between Primary And Supplementary Groups?

A primary group defines the default group ownership for files the user creates. Supplementary groups add more access without changing that default.

In practice, primary groups shape file ownership, while supplementary groups shape reach. That is why useradd -g is used for shared ownership models and usermod -aG is used for extra access like sudo or container tooling.

How Can You Check IP In Linux While Testing Access?

Use ip a or ip addr to check the machine’s IP address when you need to verify whether a login or file-access issue is local or remote. If the account works on the console but not over the network, the problem may be with connectivity rather than groups.

For remote troubleshooting, pairing ip output with SSH logs and a connectivity test is often faster than guessing. In network-heavy environments, basic identity checks and basic network checks should happen together.

Key Takeaway

Use useradd or adduser to create the account, then set the password with passwd.

Use useradd -g when the account needs a custom primary group for default file ownership.

Use usermod -aG to add supplementary groups without removing existing memberships.

Verify with id, groups, and a real file access test before you consider the change complete.

Document the change and keep access as small as possible.

Conclusion

Creating a new Linux user and adding that user to specific groups is a core administration task because it controls login behavior, file ownership, and collaboration. The process is straightforward when you handle the pieces in the right order: create the group, create the user, set the shell and home directory, assign the password, and add the right supplementary groups.

Primary and supplementary groups are not just theory. They are the foundation of everyday Linux user management, and they determine whether a user can work productively or gets stuck asking for access changes all day. Always verify your work with id, groups, and a real file test, then re-check the result after the user logs back in.

The safest habit is still the simplest one: grant only the access that is needed, document why you made the change, and review it later. That is practical system administration, and it scales far better than guessing.

If you want more hands-on Linux administration guidance from ITU Online IT Training, keep building this workflow until it becomes routine. The faster you can create users, assign groups, and verify access on the command line, the more reliable your admin work will be.

CompTIA®, Cisco®, Microsoft®, AWS®, EC-Council®, ISC2®, ISACA®, and PMI® are trademarks of their respective owners.

[ FAQ ]

Frequently Asked Questions.

How do I create a new Linux user with a specific primary group?

To create a new Linux user with a specific primary group, you can use the useradd command with the -g option. For example, running sudo useradd -g groupname username will create the user and set their primary group to groupname.

This method ensures that the user is associated with the correct main group from the outset. It’s important to specify the primary group during creation to avoid permission issues later, especially if the user needs access to specific shared resources or directories associated with that group.

What is the difference between useradd and adduser in Linux?

The useradd and adduser commands are both used to create new user accounts, but they differ in usability and customization. useradd is a low-level utility that offers more direct control, requiring explicit options for setting up home directories, groups, and shells.

In contrast, adduser is a friendlier, more interactive script that prompts for necessary information and sets up the account with sensible defaults. It is generally easier for beginners but may not offer the same level of customization as useradd.

How can I add a new user to multiple groups at creation?

You can add a new user to multiple groups during creation by using the -G option with useradd. For example, sudo useradd -G group1,group2 username creates the user and adds them to the specified supplementary groups.

Ensure that you also specify a primary group with the -g option if needed. Alternatively, with adduser, you might need to modify group memberships after creation using the usermod command.

Why is setting the home directory important when creating a new user?

Specifying the home directory during user creation ensures the user has a dedicated space for personal files and configurations. If you do not specify a home directory, the system typically creates a default one based on the username, such as /home/username.

Having a correctly set home directory is crucial for permissions, user environment, and security. It also simplifies user management and helps prevent accidental access issues or conflicts with existing directories. You can specify the home directory with the -d option in useradd.

What are common mistakes to avoid when creating a new Linux user?

One common mistake is forgetting to assign the correct primary group, which can lead to permission issues. Another is neglecting to specify a home directory, resulting in default directories that may not meet your requirements.

Additionally, omitting the -a flag when adding users to supplementary groups can cause them to be removed from those groups. Also, not setting a password immediately can leave the account vulnerable. Always verify the user’s group memberships and permissions after creation to ensure proper setup.