useradd - Adds a new user login account
/usr/sbin/useradd [-c comment] [-d dir| -H home_dir] [-e
expire] [-g group] [-G group[,group...]] [-m] [-p] [-P]
[-s shell] [-t type] [-u uid [-o]] [-x extended_option]
login
/usr/sbin/useradd -D [-d home_dir] [-e expire] [-f inactive]
[-g group] [-s shell] [-x extended_option]
A short description of the account, currently used as the
field for the user's full name in the user database file.
The comment argument can be any text string. If the text
string contains spaces, enclose the string in quotes.
Specifies the home directory of the new user. If not specified,
dir defaults to home_dir/login, where home_dir is
the default directory for user login accounts and login is
the name of the new login account. The -m option must be
specified to create the user's home directory.
The -H cannot be used with this option. Displays
and sets the default values used by the account
management utilities for user and group information.
When used without arguments, this flag displays the
default values. If invoked with any combination of
the flags listed by the usermod -D command, it sets
the default values for those flags. Subsequent
invocations of useradd or usermod use these new
defaults. This option is only for use on systems
running in enhanced security mode and is useful for
creating temporary logins. The value of the expire
argument is a date, and must be in one of the valid
formats listed below. A blank value ("") defeats
the status of the expired date. Note that if a twodigit
year is specified, and the number is >=69 and
<=99, the year is assumed to be 19** (20th century).
Otherwise the year is assumed to be 20**
(21st century). The following date formats are
valid: mmm dd yy (Oct 27 97) mmm dd ccyy (Oct 27
1997) dd mmm yy (27 Oct 97) dd mmm ccyy (27 Oct
1997) mm-dd-yy (10-27-97) mm-dd-ccyy (10-27-1997)
mm/dd/yy (10/27/97) mm/dd/ccyy (10/27/1997) mmddyy
(102797) mmddccyy (10271997) mmdd (1027) This
option is only for use on systems running in
enhanced security mode and specifies the number of
days that can elapse before an inactive account is
locked automatically. A value of 0 means there is
no limit. The default value is 0.
The default value for new accounts can be set by
combining this option with the -D option. The
account holder's primary group. The group argument
can be specified as an existing group's identification
number (GID) or character-string name.
The default value for new accounts can be set by
combining this option with the -D option. The
user's secondary groups. This option is a comma
separated list of groups that defines the supplementary
group membership for a new user. Groups can
be specified by the group's name or by its group
identification number (GID). An error is displayed
for each group that does not exist. Duplicate
groups are ignored. See the RESTRICTIONS section
for more information. The path name of the home
directory location. The path name is combined with
the login name to form the user's home directory.
The -m option must be specified to create the
user's home directory.
The -d cannot be used with this option. Creates
the new user's home directory if it doesn't already
exist. If the directory already exists, it must
have read, write, and execute permissions by group,
where group is the user's primary group. See also
the -d and -H options. Indicates that you want to
supply a password. You will be prompted to enter
the password, which will not be echoed to the
screen. After entering a password, you will be
prompted to verify it by entering it a second time.
Creates a PC account only. This account is usable
in an environment using the Advanced Server for
UNIX (ASU). See the RESTRICTIONS section for additional
information. Specifies the full path name
of the program used as the user's login shell. The
shell argument must be a valid executable file.
The default value for new accounts can be set by
combining this option with the -D. If no default
shell has been set, the login shell for new users
will be /bin/sh. Adds a local plus (+) or local
minus (-) NIS user from the user database. The
value of the type parameter can be + or -. Specifies
the user identification number (UID) of the
new user. The uid must be specified as a non-negative
decimal integer. Allows a user identification
(UID) number to be duplicated (non-unique). This
option can be used only with the -u option.
Extended options are of the form attribute=value.
You may enter any number of extended options
(within the character limit of the command line) by
separating each option with a space. Alternatively,
they may be entered separately following the -x
switch. Note that some extended options are only
available under specific system environments.
A valid command string for extended options is:
% useradd -D -g 22 -b /home -x distributed=0
The following extended options are available: Indicates
that the account is local. This value can be
set as a default with the -D option and is incompatible
with the distributed and ldap options.If
local is set to 1, distributed and ldap are automatically
set to 0. Indicates that the account is
a NIS user account. This value can be set as a
default with the -D option and is incompatible with
the local and ldap options. If distributed is set
to 1, local and ldap are automatically set to 0.
You must be on the NIS master to add a NIS user.
Indicates that the account is on an LDAP server.
This option is incompatible with the distributed
and local options. If either local or distributed
is set to 1, it is automatically reset to 0. LDAP
must be configured, and you must be on the LDAP
server or an LDAP client with permission to modify
the LDAP database. Indicates whether the account
is to be locked by the system administrator. If set
to 0, the account is not locked. If set to 1 (the
default), the account is explicitly locked and the
user cannot log in to the system.
The following extended_option attributes are available
only on systems running in enhanced security
mode. Specifies the time, in days, between the
last password change and the password expiration.
(A new password must be chosen.) The date on which
the current password will expire. See the -e option
for a list of valid date formats. Allows the user
to choose his or her own password. Forces the
automatic password generator to run. Sets the maximum
number of characters for generated passwords.
Forces the automatic password checker to run. Sets
the minimum number of days that can elapse before a
password can be changed. Sets maximum number of
days that can elapse before the password must be
changed by the user. Forces a password change.
Sets the minimum number of characters in a password.
Sets the maximum number of characters in a
password. Sets the maximum number of times a password
must change before it can be reused. Sets the
days of the week and hours of the day during which
the account holder can log in to the account. The
time string format is an entry of Dd0000-0000 for
each day and time that logins are enabled. Time is
given in a 24-hour clock format. For example, to
restrict logins to Sunday, Monday and Wednesday:
Su0830-1730,Mo0830-1730,We0830-1730
The hours are restricted to 8:30AM to 5:30PM.
Specifies a date on which logins will be disabled
automatically. Specifies the number of days until
the account expires and is retired automatically.
Specifies the number of days that can elapse before
an inactive account is locked automatically. Specifies
the number of failed login attempts that can
occur before an account is locked automatically.
When an account becomes disabled because of an
expired password, break-in evasive action, or
exceeded login interval, a grace period provides an
interval during which the disabling condition is
overridden and the user may log in. This successful
login will automatically clear the disabling
condition and the grace limit. Note that this does
not unlock an account that has been administratively
locked or that has expired. The grace limit
specifies the number of days, starting immediately,
that the user has to log in and re-enable the
account. Specifies the template name to provide
default enhanced security features for users.
The following extended_option attributes are available
for creating PC accounts that can be assigned
to client PC users on systems running ASU: The user
account name on the PC. This can be identical to
the user's UNIX account, or it can map to a shared
account. See the System Administration Guide for
more information on account mapping. See the
RESTRICTIONS section for more information. The
backing UNIX account name. If no name is entered it
will be the same as the PC user account name. See
the RESTRICTIONS section for more information. The
full name of the user or a description of the
account. A brief description of the account that
is modifiable only by the administrator. A brief
description of the account. This string can be
changed by the user. The path to the user's home
directory, specified as an ASU share format. The
primary ASU group (domain) to which the user
belongs. The secondary ASU groups (domains) to
which the user belongs. This value is specified as
a comma-delimited list. A list of client host systems
from which the user can log on. This value is
specified as a comma-delimited list, and a null
value (" ") means that the user can log on from all
workstations. The directory where the default
login script is located. This directory is created
during ASU configuration. Specifies whether the PC
account is a local or global account in the ASU
domain. Specifies the date on which the account
will expire and logins will be prevented. Specifies
the days of the week and hours of the day during
which logins will expire and logins will be
permitted or denied. See logon_hours for details of
the string format. Specifies the pathname to the
default user profile directory. Specifies whether
the account is locked, disabling logins. A text
string that will be the initial account password.
Note that you must precede the pc_passwd option
with the -x option. Then you will be prompted to
enter a password, and then prompted to confirm the
entry. The password will not be echoed to the display.
Controls whether the user can set his or her
own password. Forces password change during the
initial login. Specifies a forced log off when the
user's account or logon time expires. If there is a
live server connection when the time expires, and
this value is set to 1, the connection will be
dropped. This option is only available with the -D
option to change the default setting. A value of
-1 specifies never, meaning that the user is not
disconnected. The account expires after the user
logs off. Create synchronized PC accounts if ASU
is installed. You cannot use the pc_synchronize
option if the -P option is in use. See the RESTRICTIONS
section for additional information.
This option can be specified in combination with
the -D option to set the default value. Specifies
the minimum number of days that can elapse before a
password can be changed by the user. This option is
only available with the -D option to change the
default setting. Specifies the maximum number of
days that can elapse before a password must be
changed by the user. This option is only available
with the -D option to change the default setting.
Specifies the minimum number of characters in a
valid password string. This option is only available
with the -D option to change the default setting.
Forces validation of the password for
uniqueness. This option is only available with the
-D option to change the default setting. This
option is equivalent to the passwd_history_limit
option. Specifies the new login name of the user.
There are restrictions, described below, on the
length and allowable characters in the login name.
The useradd command is part of a set of command-line
interfaces (CLI) that are used to create and administer
user accounts on the system. When The Advanced Server for
UNIX (ASU) is installed and running, the useradd command
can also be used to create and administer PC accounts,
including synchronized creation of PC accounts whenever a
UNIX account is created. Accounts can also be created with
the /usr/bin/X11/dxaccounts graphical user interface (GUI)
or the sysman(8) Accounts menu.
Different options are available depending on how the local
system is configured: In the default UNIX environment,
user account management is compliant with the IEEE POSIX
Standard P1387.3. If enhanced (C2) security is configured,
additional options and extended options can be used.
The CLI is backwards-compatible, so all existing local
scripts will function. However, you should consider testing
your legacy account management scripts before use.
Invoking useradd without the -D option adds a new user
entry to the user database. It also creates supplementary
group memberships for the user if requested with the -G
option, and creates the home directory for the user if
requested with the -m option.
Invoking useradd -D with no additional options displays
the system default values that are used when creating a
new login account.
The default behavior on hte system for the useradd is as
follows: distributed=0, ldap=0, and local=1. With these
values, the system adds the user login account to the
local database. Certain combinations of these settings are
incompatible and produce an error: it is invalid to set
all of these values to 0 or set more than one of them to
1.
If the user identification number (UID) is not specified,
it defaults to the next available (unique) number. The
number is the next available UID greater than minUID. The
value nextUID specifies the next UID to use. If not available,
the next available UID greater than nextUID is used.
When NIS or LDAP are available, the new user may be given
secondary group memberships with the -G option in more
than one type of group. The indicated groups are sought
first in the database that is of the same type as the
user. If not found, the alternate database is checked. If
the group is not found in either database, a warning is
issued but the account is created.
The user database entries created with useradd cannot
exceed 512 characters per line for local and NIS accounts.
Specifying long arguments to several options may exceed
this limit.
Note the following restrictions that apply to this
release:
You must have superuser privilege to execute this command.
Certain characters that have special meaning for the
shells are not allowed in the login name. This list
includes $@/[]:;|=,*?(){}"' `#, backslash (\), and white
space (space, tab, newline, form-feed, return). In addition,
the first character of the new login name cannot be
one of +-!~.
The maximum length of the login name is an adustable system
configuration parameter, but is guaranteed to be at
least 8 characters. When creating PC only accounts, the
PC account will be backed to the UNIX account lmworld.
This account must exist when adding PC-only accounts. The
lmworld account is created when the ASU is installed.
When the -P option is used, the specified login is
the PC account name. When the -P option is not
used, the specified login is the UNIX account name.
When the extended option pc_synchronize is used,
the specified login is the UNIX account name. The
extended attribute pc_unix_username can only be
used when the -P option is specified on the command
line. This extended option is used to specify a
UNIX account name when creating or modifying a PC
account. The extended attribute pc_username cannot
be used when the -P option is specified on the command
line. It is used to specify a PC account name
when creating or modifying a UNIX account. The
pc_synchronize option cannot be used with the -P
option.
Distributed accounts can only be added or modified
on NIS servers.
Note that restrictions also apply when modifying existing
account attributes. Refer to the usermod(8) reference
page for more information.
The useradd command exits with one of the following values:
Success. Failure. Warning.
The following example adds the user, newuser, to the user
database:
% useradd newuser The following example enables synchronized
PC accounts, and the second command adds a user Contractor1
who will then have both a UNIX and a PC account
using the system default account setup options:
% usermod -D -x pc_synchronize=1
% useradd -x pc_logon_workstations=sofdev Contractor1 The
following example adds the user, newuser, to the user
database with user id of 451: % useradd -u 451 newuser The
following example adds the user, newuser, using the next
available UID with csh as the login shell. It creates the
user's home directory /home_dir/newuser, where /home_dir
is the default location for creating home directories: %
useradd -m -s /bin/csh newuser The following example adds
the local user, xyz, that overrides the default home
directory in the NIS master database: % useradd -t + -d
/users/xyz xyz The following example changes the default
base directory to /user/users1 for all new users: % useradd
-D -b /user/users1 The following example adds the new
user, xyz, to the NIS master database: % useradd -x distributed=1
xyz The following example adds the new PC user,
Contractor1, sets logon hours and the logon system: %
useradd -P -x / pc_logon_hours=Mo0900-2300,We0900-2300 /
pc_logon_workstations=sofdev Contractor1 The following
example adds the new PC user, Contractor1, supplying the
PC password: % useradd -P -x pc_passwd Contractor1 New PC
password: Retype new PC password:
The useradd command operates on the appropriate files for
the specific level of system security.
Commands: groupadd(8), groupdel(8), groupmod(8),
passwd(1), userdel(8), usermod(8)
Manuals: System Administration,Security, Advanced Server
for UNIX Installation and Administration
useradd(8)
[ Back ] |
