usermod(8)usermod(8)NAMEusermod - Modifies a user's login information on the system.
SYNOPSIS
SVE:
/usr/sbin/usermod [-u uid [-o]] [-l login_name] [-g group] [-G
group[,group...]] [-c comment] [-d dir [-m]] [-s shell] [-e expire] [-f
inactive] [-t type] login
POSIX:
/usr/sbin/usermod [-c comment] [-d dir [-m]] [-g group] [-G
group[,group...]] [-H home_dir] [-p] [-l login_name] [-P] [-s shell]
[-t type] [-u uid [-o]] [-x extended_option] login
/usr/sbin/usermod -D [-g group] [-s shell] [-d dir] [-e expire] [-f
inactive] [-x extended_option]
OPTIONS
Modifies the description of the account, currently used as the field
for the user's full name in the user database file. The comment argu‐
ment can be any text string. If the text string contains spaces,
enclose the string in quotes. Sets the pathname of the user's home
directory location. The pathname is combined with the login name to
form the full path of the home directory. The -H option cannot be used
with the -d option, but see also the -m option. Specifies the full
path to the home directory where the user account resides. If not
specified, dir defaults to home_dir/login, where home_dir is the
default directory for user login accounts and login is the name of the
new login account. The -d option cannot be used with the -H option, but
see also the -m option. Moves the user's home directory to the new
location. This option must be combined with either the -H or -d
options. Indicates that you want to supply a password. You are
prompted to enter the password, which is not echoed to the screen.
After entering a password, you are prompted to verify it by entering it
a second time. Modify a PC account created by useradd with this
switch. This account is usable in an environment with the Advance
Server for UNIX (ASU). Displays and sets the default values used by
the account management utilities for user and group information.
When used without arguments, this flag displays the default val‐
ues. If invoked with any combination of the flags listed by the
usermod-D command, it sets the default values for those flags.
Subsequent invocations of usermod use these new defaults. For
example, in the POSIX environment, the following command sets
the group to project, the account to local and the minimum UID
to 300 for any new account that is subsequently created: # user‐
mod -D -g project -x local=1 min_uid=300 This option is only for
use on SVE systems running in enhanced security mode and is use‐
ful for creating temporary logins. The value of the expire argu‐
ment is a date. See the useradd(8) reference page for a list of
valid date formats. A blank value ("") defeats the status of the
expired date. Set the extended option -x account_expiration for
the default value. Note that if a two-digit year is specified,
and the number is >=69 and <=99, the year is assumed to be 19**
(20th century). Otherwise the year is assumed to be 20** (21st
century). Changes the account holder's primary group. The group
argument can be specified as an existing group's identification
number (GID) or character-string name. You can use the -D option
to set the default primary group for new logins. Modifies
user's secondary groups. This option is a comma-separated list
of groups that defines the supplementary group membership for
the user. This is a replacement operation that will add or
remove the user from supplementary groups as necessary. All the
groups in which membership is desired must be listed. Groups can
be specified by the group's name or by group identification num‐
ber (GID). An error is displayed for each group that does not
exist. Duplicate groups are ignored. Changes the user's login
name. The login name has the same restrictions as described for
new users in useradd(8). Modifies the user's login shell. It
specifies the full pathname of the program used as the user's
login shell. The shell argument must be a valid executable file.
When used with the -D option, -s defines the system default.
Changes user's account type to local plus (+) or local (-) NIS
user in the user database. The value of the type parameter can
be + or -. Modifies the user identification number (UID) of the
new user. The uid must be specified as a non-negative decimal
integer. When modifying a UID, allows a user identification
(UID) number to be duplicated (non-unique). This option can be
used only with the -u option. Extended_options are of the form
attribute=-value. You may enter any number of extended options
(within the character limit of the command line) by separating
each option with a space. Alternatively, they may be entered
separately following the -x switch. Note that some extended
options are only available under specific system environments.
To review the current defaults, use the following command: user‐
mod -D
This example is a valid command string for extended options:
usermod-D-x distributed=1 next_UID=300 \ administra‐
tive_lock_applied=0
The following sets of extended_option attributes are available:
Indicates whether the account is local. This value can be set
as a default with the -D option and is incompatible with the
distributed and ldap options. If local is set to 1, distributed
and ldap are automatically set to 0. Indicates that the account
is a NIS user account. This value can be set as a default with
the -D option and is incompatible with the local and ldap
options. If distributed is set to 1, they are automatically set
to 0. You must be on the NIS master to modify a NIS user. Indi‐
cates whether the account is on an LDAP server. This option is
incompatible with the local and distributed options. If local or
distributed is set to 1, local and ldap are automatically set to
0. LDAP must be configured, and you must be on the LDAP server
or an LDAP client with permission to modify the LDAP database.
Specifies the minimum UID value. This value can only be set as a
default with the -D option. Specifies the maximum UID value.
This value can only be set as a default with the -D option.
Specifies the next sequential unassigned UID. This value can
only be set as a default with the -D option. Allows the UID to
be a duplicate of an existing UID. This value can only be set as
a default with the -D option. Specifies the parent directory
where home directories will be created by default,
such as /usr/users. This option can only be used with the -D
option to set a default. Specifies the directory where skeleton
files reside. Files in this directory are copied to new home
directories when they are created. This option can only be used
with the -D option to set a default. Specifies the maximum num‐
ber of groups to which a user can belong. This value can only be
set as a default with the -D option. Specifies the hashed pass‐
word database. This value can only be set as a default with the
-D option. Locks the account. A value of 1 locks the specified
account, and a value of 0 will unlock it. The default is 1.
The following extended_option attributes are available only on
systems running in enhanced security mode: Specifies the time,
in days, between the last password change and the password expi‐
ration. (A new password must be chosen.) The value of n must be
an integer. If the value of the passwd_expiration_time attribute
is set to 0, there is no password expiration time. Specifies
the time, in days, between the last password change and the
expiration of the account. The value of n must be a non-negative
integer. If the passwd_lifetime attribute is set to 0, the pass‐
word lifetime is infinite. Specifies the time, in days, which
must pass before a user can change the user account password.
The value of n must be a non-negative integer. A value of 0
means there is no minimum time to change the user account pass‐
word. The date on which the current password will expire. See
the -e option for a list of valid date formats. Allows the user
to choose his or her own password. Forces the automatic pass‐
word generator to run. Sets the maximum number of characters
for generated passwords. Forces the automatic password checker
to run. Forces a password change. Sets the minimum number of
characters in a password. Sets the maximum number of characters
in a password. Sets the number of times that the password must
be changed before a password can be reused. Sets the days of
the week and hours of the day during which the account holder
can log in to the account. The time string format is an entry of
Dd0000-0000 for each day and time that logins are enabled. Time
is given in a 24-hour clock format. For example, to restrict
logins to Sunday, Monday and Wednesday:
Su0830-1730,Mo0830-1730,We0830-1730
The hours are restricted to 8:30AM to 5:30PM. Specifies a date
on which logins will be disabled automatically. Specifies the
number of days until the account expires and is retired automat‐
ically. Specifies the number of days that can elapse before an
inactive account is locked automatically. Specifies the number
of failed login attempts that can occur before an account is
locked automatically. When an account becomes disabled because
of an expired password, break-in evasive action, or exceeded
login interval, a grace period provides an interval during which
the disabling condition is overridden and the user may log in.
This successful login will automatically clear the disabling
condition and the grace limit. Note that this does not unlock an
account that has been administratively locked or that has
expired. The grace limit specifies the number of days, starting
immediately, that the user has to log in and re-enable the
account. Specifies the template name to provide default
enhanced security features for users.
The following extended_option attributes are available for PC
group administration if the Advanced Server for UNIX (ASU) is
configured and running: The user account name on the PC. This
can be identical to the user's UNIX account, or it can map to a
shared account. See the System Administration guide for more
information on account mapping. The backing UNIX account name,
if no name is entered it will be the same as the PC usr account
name. The full name of the user or a description of the
account. A brief description of the account that is modifiable
only by the administrator. A brief description of the account.
This string can be changed by the user. The path to the user's
home directory, specified as an ASU share format. The primary
ASU group (domain) to which the user belongs. The secondary ASU
groups (domains) to which the user belongs. This value is speci‐
fied as a comma-delimited list. A list of client host systems
from which the user can log on. This value is specified as a
comma-delimited list and a null value (" ") means that the user
can log on from all workstations. The directory where the
default logon script is located. This directory is created dur‐
ing ASU configuration. Specifies whether the PC account is a
local or global account in the ASU domain. Specifies the date
on which the account will expire and logins will be prevented.
Specifies the days of the week and hours of the day during which
logins will expire and logons will be permitted or denied. See
logon_hours for details of the string format. Specifies the
pathname to the default user profile directory. Specifies
whether the account is locked, disabling logins. A text string
that will be the initial account password. Note that you must
precede the pc_passwd option with the -x option and you will be
prompted to enter a password and then confirm the entry. The
password will not be echoed to the screen. Controls whether the
user can set his or her own password. Forces password change
during the initial login. Specifies a forced log off when the
user's account or logon time expires. If there is a live server
connection when the time expires, and this value is set to 1,
the connection will be dropped. This option is only available
with the -D option to change the default setting. A value of -1
specifies never, meaning that the user is not disconnected. The
account expires after the user logs off. Sets the PC synchro‐
nized status to off (0) or on (1). Specifies the minimum number
of days that can elapse before a password can be changed by the
user. This option is only available with the -D option to change
the default setting. Specifies the maximum number of days that
can elapse before a password must be changed by the user. This
option is only available with the -D option to change the
default setting. Specifies the minimum number of characters in
a valid password string. This option is only available with the
-D option to change the default setting. Forces validation of
the password for uniqueness. This option is only available with
the -D option to change the default setting. This option is
equivalent to the passwd_history_limit option. Specifies the
login name of the user. You cannot specify a new login name for
PC users. Refer to the Advanced Server for UNIX (ASU) documen‐
tation for more information.
DESCRIPTION
The usermod command is part of a set of command-line interfaces (CLI)
that are used to create and administer user accounts on the system.
When the Advanced Server for UNIX (ASU) is installed and running, the
usermod command can also be used to administer Windows NT domain (PC)
accounts, including simultaneous (synchronized) modification of PC
accounts or modifications to PC accounts alone. Accounts can also be
modified with the /usr/bin/X11/dxaccounts graphical user interface
(GUI) or the sysman(8) Accounts menu.
Different options are available depending on how the local system is
configured: In the default UNIX environment, user account management is
compliant with the IEEE POSIX Standard P1387.3-1996. If enhanced (C2)
security is configured, additional options and extended options can be
used. The CLI is backwards-compatible, so all existing local scripts
will function. However, you should consider testing your account man‐
agement scripts before use.
The usermod command modifies a user's login definition on the system
and makes the login-related changes in the appropriate system files
determined by the current level of security.
The system file entries modified with this command have a limit of 512
characters per line. Specifying long arguments to several options may
exceed this limit.
With the -x option, the system administrator can specify extended
options, such as whether the user login account to be modified is
local, resides in the NIS master database, or resides in the LDAP data‐
base. If -x option is not specified, the user login account is modi‐
fied from the appropriate database as specified by the system defaults.
The default behavior on the system for the usermod command is as fol‐
lows: local=1, distributed=0,and ldap=0. With these values, the system
modifies the user login definition at the local database. Certain com‐
binations of these settings are incompatible and produce an error: it
is invalid to set all of these values to 0 or set more than one of them
to 1.
When NIS or LDAP are available, the modified user may be added or
removed from secondary group memberships (with the -G option) in more
than one type of group. The indicated groups are sought first in the
database that is of the same type as the user. If not found, the alter‐
nate database is checked. If the group is not found in either database,
a warning is issued.
RESTRICTIONS
Note the following restrictions that apply to this release:
You must have superuser privilege to execute this command. When creat‐
ing or modifying PC only accounts, the PC account will be backed to the
UNIX account lmworld. This account must exist when adding PC only
accounts. The lmworld account is created when the ASU kit is installed.
When modifying a synchronized PC and UNIX account that has dif‐
ferent UNIX and PC account names, the following conditions
apply: If the -P flag is specified, pc_unix_username specifies
the UNIX account and the specified login is the PC account. If
the -P flag not given, pc_username specifies the PC account and
the specified login is the UNIX account. The extended attribute
pc_unix_username can only be used when the -P option is speci‐
fied on the command line. This extended option is used to spec‐
ify a UNIX account name when creating or modifying a PC account.
The extended attribute pc_username cannot be used when the -P
option is specified on the command line. It is used to specify a
PC account name when creating or modifying a UNIX account. The
pc_synchronize option cannot be used with the -P option.
EXIT STATUS
The usermod command exits with one of the following values: Success.
Failure. Warning.
EXAMPLES
The following example changes the UID of the user, newuser, to 451 in
the user database: % usermod-u 451 newuser The following example
changes the home directory of the user, xyz to /users/xyz, and moves
the files from the user's current directory to the new directory: %
usermod-d /users/xyz -m xyz The following example unlocks a user
account that has been administratively locked. % usermod-x adminis‐
trative_lock_applied=0 username The following example gives a one day
grace period during which a user may log in to an account that has been
disabled: % usermod-x grace_limit=1 username The following example
changes the login shell of the user, abc, in the NIS master database on
the system where the command is executed: % usermod-s /bin/csh -x dis‐
tributed=1 abc The following example changes the user's login name from
abc to xyz: % usermod-l xyz abc The following example shows a typical
output of default settings using the -D option alone: % usermod-D
Local = 1 Distributed = 0 Mini‐
mum User ID = 12 Next User ID = 200 Maxi‐
mum User ID = 4294967293 Duplicate User ID = 0
Use Hashed Database = 0 Max Groups Per User = 32 Base
Home Directory = /usr/users Administrative Lock = 1
Primary Group = users Skeleton Directory =
/usr/skel Shell = /bin/sh Synchronized UNIX/PC
Accts = 0 PC Minimum Password Length = 8 PC Minimum Password Age
= 30 PC Maximum Password Age = 90 PC Password Uniqueness = 1
PC Force Logoff After = 4294967295 The following example changes
the primary group of the user, abc, to 15: % usermod-g 15 abc The fol‐
lowing example enables the creation of synchronized PC accounts and
sets the minimum user ID (UID) and the next user ID to be used: % user‐
mod -D -x pc_synchronize=1 \ min_uid=20 next_uid=250 The following
example applies to the user's PC account only. It unlocks the account
and sets the allowed logins from 8:00 AM to 11:00 PM on Monday: % user‐
mod -P -x pc_disable_account=0 \ pc_logon_hours=Mo0800-2300 StudentB
The following example shows how to modify a PC user's password: % user‐
mod -P -x pc_passwd StudentB
FILES
The usermod command operates on the appropriate files for the specific
level of system security.
SEE ALSO
Commands: groupadd(8), groupdel(8), groupmod(8), useradd(8),
userdel(8)
Manuals: System Administration, Security, Advanced Server for UNIX
Installation and Administration
usermod(8)