usermod - Modifies a user's login information on the system.
SVE:
/usr/sbin/usermod [-u uid [-o]] [-l login_name] [-g group]
[-G group[,group...]] [-c comment] [-d dir [-m]] [-s
shell] [-e expire] [-f inactive] [-t type] login
POSIX:
/usr/sbin/usermod [-c comment] [-d dir [-m]] [-g group]
[-G group[,group...]] [-H home_dir] [-p] [-l login_name]
[-P] [-s shell] [-t type] [-u uid [-o]] [-x
extended_option] login
/usr/sbin/usermod -D [-g group] [-s shell] [-d dir] [-e
expire] [-f inactive] [-x extended_option]
Modifies the description of the account, currently used as
the field for the user's full name in the user database
file. The comment argument can be any text string. If the
text string contains spaces, enclose the string in quotes.
Sets the pathname of the user's home directory location.
The pathname is combined with the login name to form the
full path of the home directory. The -H option cannot be
used with the -d option, but see also the -m option.
Specifies the full path to the home directory where the
user account resides. If not specified, dir defaults to
home_dir/login, where home_dir is the default directory
for user login accounts and login is the name of the new
login account. The -d option cannot be used with the -H
option, but see also the -m option. Moves the user's home
directory to the new location. This option must be combined
with either the -H or -d options. Indicates that
you want to supply a password. You are prompted to enter
the password, which is not echoed to the screen. After
entering a password, you are prompted to verify it by
entering it a second time. Modify a PC account created by
useradd with this switch. This account is usable in an
environment with the Advance Server for UNIX (ASU). Displays
and sets the default values used by the account management
utilities for user and group information.
When used without arguments, this flag displays the
default values. If invoked with any combination of
the flags listed by the usermod -D command, it sets
the default values for those flags. Subsequent
invocations of usermod use these new defaults. For
example, in the POSIX environment, the following
command sets the group to project, the account to
local and the minimum UID to 300 for any new
account that is subsequently created: # usermod -D
-g project -x local=1 min_uid=300 This option is
only for use on SVE systems running in enhanced
security mode and is useful for creating temporary
logins. The value of the expire argument is a date.
See the useradd(8) reference page for a list of
valid date formats. A blank value ("") defeats the
status of the expired date. Set the extended option
-x account_expiration for the default value. Note
that if a two-digit year is specified, and the number
is >=69 and <=99, the year is assumed to be
19** (20th century). Otherwise the year is assumed
to be 20** (21st century). Changes the account
holder's primary group. The group argument can be
specified as an existing group's identification
number (GID) or character-string name. You can use
the -D option to set the default primary group for
new logins. Modifies user's secondary groups. This
option is a comma-separated list of groups that
defines the supplementary group membership for the
user. This is a replacement operation that will add
or remove the user from supplementary groups as
necessary. All the groups in which membership is
desired must be listed. Groups can be specified by
the group's name or by group identification number
(GID). An error is displayed for each group that
does not exist. Duplicate groups are ignored.
Changes the user's login name. The login name has
the same restrictions as described for new users in
useradd(8). Modifies the user's login shell. It
specifies the full pathname of the program used as
the user's login shell. The shell argument must be
a valid executable file. When used with the -D
option, -s defines the system default. Changes
user's account type to local plus (+) or local (-)
NIS user in the user database. The value of the
type parameter can be + or -. Modifies the user
identification number (UID) of the new user. The
uid must be specified as a non-negative decimal
integer. When modifying a UID, allows a user identification
(UID) number to be duplicated (nonunique).
This option can be used only with the -u
option. Extended_options are of the form
attribute=-value. You may enter any number of
extended options (within the character limit of the
command line) by separating each option with a
space. Alternatively, they may be entered separately
following the -x switch. Note that some
extended options are only available under specific
system environments.
To review the current defaults, use the following
command: usermod -D
This example is a valid command string for extended
options: usermod -D -x distributed=1 next_UID=300 \
administrative_lock_applied=0
The following sets of extended_option attributes
are available: Indicates whether the account is
local. This value can be set as a default with the
-D option and is incompatible with the distributed
and ldap options. If local is set to 1, distributed
and ldap are automatically set to 0. Indicates
that the account is a NIS user account. This value
can be set as a default with the -D option and is
incompatible with the local and ldap options. If
distributed is set to 1, they are automatically set
to 0. You must be on the NIS master to modify a NIS
user. Indicates whether the account is on an LDAP
server. This option is incompatible with the local
and distributed options. If local or distributed is
set to 1, local and ldap are automatically set to
0. LDAP must be configured, and you must be on the
LDAP server or an LDAP client with permission to
modify the LDAP database. Specifies the minimum
UID value. This value can only be set as a default
with the -D option. Specifies the maximum UID
value. This value can only be set as a default with
the -D option. Specifies the next sequential unassigned
UID. This value can only be set as a default
with the -D option. Allows the UID to be a duplicate
of an existing UID. This value can only be set
as a default with the -D option. Specifies the
parent directory where home directories will be
created by default, such as /usr/users. This option
can only be used with the -D option to set a
default. Specifies the directory where skeleton
files reside. Files in this directory are copied to
new home directories when they are created. This
option can only be used with the -D option to set a
default. Specifies the maximum number of groups to
which a user can belong. This value can only be set
as a default with the -D option. Specifies the
hashed password database. This value can only be
set as a default with the -D option. Locks the
account. A value of 1 locks the specified account,
and a value of 0 will unlock it. The default is 1.
The following extended_option attributes are available
only on systems running in enhanced security
mode: Specifies the time, in days, between the last
password change and the password expiration. (A new
password must be chosen.) The value of n must be an
integer. If the value of the passwd_expiration_time
attribute is set to 0, there is no password expiration
time. Specifies the time, in days, between
the last password change and the expiration of the
account. The value of n must be a non-negative
integer. If the passwd_lifetime attribute is set to
0, the password lifetime is infinite. Specifies
the time, in days, which must pass before a user
can change the user account password. The value of
n must be a non-negative integer. A value of 0
means there is no minimum time to change the user
account password. The date on which the current
password will expire. See the -e option for a list
of valid date formats. Allows the user to choose
his or her own password. Forces the automatic
password generator to run. Sets the maximum number
of characters for generated passwords. Forces the
automatic password checker to run. Forces a password
change. Sets the minimum number of characters
in a password. Sets the maximum number of characters
in a password. Sets the number of times that
the password must be changed before a password can
be reused. Sets the days of the week and hours of
the day during which the account holder can log in
to the account. The time string format is an entry
of Dd0000-0000 for each day and time that logins
are enabled. Time is given in a 24-hour clock format.
For example, to restrict logins to Sunday,
Monday and Wednesday:
Su0830-1730,Mo0830-1730,We0830-1730
The hours are restricted to 8:30AM to 5:30PM.
Specifies a date on which logins will be disabled
automatically. Specifies the number of days until
the account expires and is retired automatically.
Specifies the number of days that can elapse before
an inactive account is locked automatically. Specifies
the number of failed login attempts that can
occur before an account is locked automatically.
When an account becomes disabled because of an
expired password, break-in evasive action, or
exceeded login interval, a grace period provides an
interval during which the disabling condition is
overridden and the user may log in. This successful
login will automatically clear the disabling
condition and the grace limit. Note that this does
not unlock an account that has been administratively
locked or that has expired. The grace limit
specifies the number of days, starting immediately,
that the user has to log in and re-enable the
account. Specifies the template name to provide
default enhanced security features for users.
The following extended_option attributes are available
for PC group administration if the Advanced
Server for UNIX (ASU) is configured and running:
The user account name on the PC. This can be identical
to the user's UNIX account, or it can map to
a shared account. See the System Administration
guide for more information on account mapping. The
backing UNIX account name, if no name is entered it
will be the same as the PC usr account name. The
full name of the user or a description of the
account. A brief description of the account that
is modifiable only by the administrator. A brief
description of the account. This string can be
changed by the user. The path to the user's home
directory, specified as an ASU share format. The
primary ASU group (domain) to which the user
belongs. The secondary ASU groups (domains) to
which the user belongs. This value is specified as
a comma-delimited list. A list of client host systems
from which the user can log on. This value is
specified as a comma-delimited list and a null
value (" ") means that the user can log on from all
workstations. The directory where the default
logon script is located. This directory is created
during ASU configuration. Specifies whether the PC
account is a local or global account in the ASU
domain. Specifies the date on which the account
will expire and logins will be prevented. Specifies
the days of the week and hours of the day during
which logins will expire and logons will be
permitted or denied. See logon_hours for details of
the string format. Specifies the pathname to the
default user profile directory. Specifies whether
the account is locked, disabling logins. A text
string that will be the initial account password.
Note that you must precede the pc_passwd option
with the -x option and you will be prompted to
enter a password and then confirm the entry. The
password will not be echoed to the screen. Controls
whether the user can set his or her own password.
Forces password change during the initial
login. Specifies a forced log off when the user's
account or logon time expires. If there is a live
server connection when the time expires, and this
value is set to 1, the connection will be dropped.
This option is only available with the -D option to
change the default setting. A value of -1
specifies never, meaning that the user is not disconnected.
The account expires after the user logs
off. Sets the PC synchronized status to off (0) or
on (1). Specifies the minimum number of days that
can elapse before a password can be changed by the
user. This option is only available with the -D
option to change the default setting. Specifies
the maximum number of days that can elapse before a
password must be changed by the user. This option
is only available with the -D option to change the
default setting. Specifies the minimum number of
characters in a valid password string. This option
is only available with the -D option to change the
default setting. Forces validation of the password
for uniqueness. This option is only available with
the -D option to change the default setting. This
option is equivalent to the passwd_history_limit
option. Specifies the login name of the user. You
cannot specify a new login name for PC users.
Refer to the Advanced Server for UNIX (ASU) documentation
for more information.
The usermod command is part of a set of command-line
interfaces (CLI) that are used to create and administer
user accounts on the system. When the Advanced Server for
UNIX (ASU) is installed and running, the usermod command
can also be used to administer Windows NT domain (PC)
accounts, including simultaneous (synchronized) modification
of PC accounts or modifications to PC accounts alone.
Accounts can also be modified with the /usr/bin/X11/dxaccounts
graphical user interface (GUI) or the sysman(8)
Accounts menu.
Different options are available depending on how the local
system is configured: In the default UNIX environment,
user account management is compliant with the IEEE POSIX
Standard P1387.3-1996. If enhanced (C2) security is configured,
additional options and extended options can be
used. The CLI is backwards-compatible, so all existing
local scripts will function. However, you should consider
testing your account management scripts before use.
The usermod command modifies a user's login definition on
the system and makes the login-related changes in the
appropriate system files determined by the current level
of security.
The system file entries modified with this command have a
limit of 512 characters per line. Specifying long arguments
to several options may exceed this limit.
With the -x option, the system administrator can specify
extended options, such as whether the user login account
to be modified is local, resides in the NIS master
database, or resides in the LDAP database. If -x option
is not specified, the user login account is modified from
the appropriate database as specified by the system
defaults.
The default behavior on the system for the usermod command
is as follows: local=1, distributed=0,and ldap=0. With
these values, the system modifies the user login definition
at the local database. Certain combinations of these
settings are incompatible and produce an error: it is
invalid to set all of these values to 0 or set more than
one of them to 1.
When NIS or LDAP are available, the modified user may be
added or removed from secondary group memberships (with
the -G option) in more than one type of group. The indicated
groups are sought first in the database that is of
the same type as the user. If not found, the alternate
database is checked. If the group is not found in either
database, a warning is issued.
Note the following restrictions that apply to this
release:
You must have superuser privilege to execute this command.
When creating or modifying PC only accounts, the PC
account will be backed to the UNIX account lmworld. This
account must exist when adding PC only accounts. The
lmworld account is created when the ASU kit is installed.
When modifying a synchronized PC and UNIX account
that has different UNIX and PC account names, the
following conditions apply: If the -P flag is specified,
pc_unix_username specifies the UNIX account
and the specified login is the PC account. If the
-P flag not given, pc_username specifies the PC
account and the specified login is the UNIX
account. The extended attribute pc_unix_username
can only be used when the -P option is specified on
the command line. This extended option is used to
specify a UNIX account name when creating or modifying
a PC account. The extended attribute
pc_username cannot be used when the -P option is
specified on the command line. It is used to specify
a PC account name when creating or modifying a
UNIX account. The pc_synchronize option cannot be
used with the -P option.
The usermod command exits with one of the following values:
Success. Failure. Warning.
The following example changes the UID of the user,
newuser, to 451 in the user database: % usermod -u 451
newuser The following example changes the home directory
of the user, xyz to /users/xyz, and moves the files from
the user's current directory to the new directory: % usermod
-d /users/xyz -m xyz The following example unlocks a
user account that has been administratively locked. %
usermod -x administrative_lock_applied=0 username The following
example gives a one day grace period during which a
user may log in to an account that has been disabled: %
usermod -x grace_limit=1 username The following example
changes the login shell of the user, abc, in the NIS master
database on the system where the command is executed:
% usermod -s /bin/csh -x distributed=1 abc The following
example changes the user's login name from abc to xyz: %
usermod -l xyz abc The following example shows a typical
output of default settings using the -D option alone: %
usermod -D
Local = 1 Distributed
= 0 Minimum User ID = 12 Next User ID
= 200 Maximum User ID = 4294967293 Duplicate
User ID = 0 Use Hashed Database = 0
Max Groups Per User = 32 Base Home Directory
= /usr/users Administrative Lock = 1 Primary
Group = users Skeleton Directory
= /usr/skel Shell = /bin/sh Synchronized
UNIX/PC Accts = 0 PC Minimum Password Length
= 8 PC Minimum Password Age = 30 PC Maximum Password
Age = 90 PC Password Uniqueness = 1 PC Force
Logoff After = 4294967295 The following example
changes the primary group of the user, abc, to 15: % usermod
-g 15 abc The following example enables the creation
of synchronized PC accounts and sets the minimum user ID
(UID) and the next user ID to be used: % usermod -D -x
pc_synchronize=1 \ min_uid=20 next_uid=250 The following
example applies to the user's PC account only. It unlocks
the account and sets the allowed logins from 8:00 AM to
11:00 PM on Monday: % usermod -P -x pc_disable_account=0
\ pc_logon_hours=Mo0800-2300 StudentB The following example
shows how to modify a PC user's password: % usermod -P
-x pc_passwd StudentB
The usermod command operates on the appropriate files for
the specific level of system security.
Commands: groupadd(8), groupdel(8), groupmod(8), useradd(8), userdel(8)
Manuals: System Administration, Security, Advanced Server
for UNIX Installation and Administration
usermod(8)
[ Back ] |
