useradd(8)useradd(8)NAMEuseradd - Adds a new user login account
SYNOPSIS
/usr/sbin/useradd [-c comment] [-d dir| -H home_dir] [-e expire] [-g
group] [-G group[,group...]] [-m] [-p] [-P] [-s shell] [-t type] [-u
uid [-o]] [-x extended_option] login
/usr/sbin/useradd -D [-d home_dir] [-e expire] [-f inactive] [-g group]
[-s shell] [-x extended_option]
OPTIONS
A short description of the account, currently used as the field for the
user's full name in the user database file. The comment argument can be
any text string. If the text string contains spaces, enclose the string
in quotes. Specifies the home directory of the new user. If not speci‐
fied, dir defaults to home_dir/login, where home_dir is the default
directory for user login accounts and login is the name of the new
login account. The -m option must be specified to create the user's
home directory.
The -H cannot be used with this option. Displays and sets the
default values used by the account management utilities for user
and group information.
When used without arguments, this flag displays the default val‐
ues. If invoked with any combination of the flags listed by the
usermod -D command, it sets the default values for those flags.
Subsequent invocations of useradd or usermod use these new
defaults. This option is only for use on systems running in
enhanced security mode and is useful for creating temporary
logins. The value of the expire argument is a date, and must be
in one of the valid formats listed below. A blank value ("")
defeats the status of the expired date. Note that if a two-digit
year is specified, and the number is >=69 and <=99, the year is
assumed to be 19** (20th century). Otherwise the year is assumed
to be 20** (21st century). The following date formats are valid:
mmm dd yy (Oct 27 97) mmm dd ccyy (Oct 27 1997) dd mmm yy (27
Oct 97) dd mmm ccyy (27 Oct 1997) mm-dd-yy (10-27-97) mm-dd-ccyy
(10-27-1997) mm/dd/yy (10/27/97) mm/dd/ccyy (10/27/1997) mmddyy
(102797) mmddccyy (10271997) mmdd (1027) This option is only for
use on systems running in enhanced security mode and specifies
the number of days that can elapse before an inactive account is
locked automatically. A value of 0 means there is no limit. The
default value is 0.
The default value for new accounts can be set by combining this
option with the -D option. The account holder's primary group.
The group argument can be specified as an existing group's iden‐
tification number (GID) or character-string name.
The default value for new accounts can be set by combining this
option with the -D option. The user's secondary groups. This
option is a comma separated list of groups that defines the sup‐
plementary group membership for a new user. Groups can be speci‐
fied by the group's name or by its group identification number
(GID). An error is displayed for each group that does not exist.
Duplicate groups are ignored. See the RESTRICTIONS section for
more information. The path name of the home directory location.
The path name is combined with the login name to form the user's
home directory. The -m option must be specified to create the
user's home directory.
The -d cannot be used with this option. Creates the new user's
home directory if it doesn't already exist. If the directory
already exists, it must have read, write, and execute permis‐
sions by group, where group is the user's primary group. See
also the -d and -H options. Indicates that you want to supply a
password. You will be prompted to enter the password, which will
not be echoed to the screen. After entering a password, you will
be prompted to verify it by entering it a second time. Creates
a PC account only. This account is usable in an environment
using the Advanced Server for UNIX (ASU). See the RESTRICTIONS
section for additional information. Specifies the full path
name of the program used as the user's login shell. The shell
argument must be a valid executable file.
The default value for new accounts can be set by combining this
option with the -D. If no default shell has been set, the login
shell for new users will be /bin/sh. Adds a local plus (+) or
local minus (-) NIS user from the user database. The value of
the type parameter can be + or -. Specifies the user identifi‐
cation number (UID) of the new user. The uid must be specified
as a non-negative decimal integer. Allows a user identification
(UID) number to be duplicated (non-unique). This option can be
used only with the -u option. Extended options are of the form
attribute=value. You may enter any number of extended options
(within the character limit of the command line) by separating
each option with a space. Alternatively, they may be entered
separately following the -x switch. Note that some extended
options are only available under specific system environments.
A valid command string for extended options is:
% useradd-D -g 22 -b /home -x distributed=0
The following extended options are available: Indicates that the
account is local. This value can be set as a default with the
-D option and is incompatible with the distributed and ldap
options.If local is set to 1, distributed and ldap are automati‐
cally set to 0. Indicates that the account is a NIS user
account. This value can be set as a default with the -D option
and is incompatible with the local and ldap options. If distrib‐
uted is set to 1, local and ldap are automatically set to 0. You
must be on the NIS master to add a NIS user. Indicates that the
account is on an LDAP server. This option is incompatible with
the distributed and local options. If either local or distrib‐
uted is set to 1, it is automatically reset to 0. LDAP must be
configured, and you must be on the LDAP server or an LDAP client
with permission to modify the LDAP database. Indicates whether
the account is to be locked by the system administrator. If set
to 0, the account is not locked. If set to 1 (the default), the
account is explicitly locked and the user cannot log in to the
system.
The following extended_option attributes are available only on
systems running in enhanced security mode. Specifies the time,
in days, between the last password change and the password expi‐
ration. (A new password must be chosen.) The date on which the
current password will expire. See the -e option for a list of
valid date formats. Allows the user to choose his or her own
password. Forces the automatic password generator to run. Sets
the maximum number of characters for generated passwords.
Forces the automatic password checker to run. Sets the minimum
number of days that can elapse before a password can be changed.
Sets maximum number of days that can elapse before the password
must be changed by the user. Forces a password change. Sets
the minimum number of characters in a password. Sets the maxi‐
mum number of characters in a password. Sets the maximum number
of times a password must change before it can be reused. Sets
the days of the week and hours of the day during which the
account holder can log in to the account. The time string format
is an entry of Dd0000-0000 for each day and time that logins are
enabled. Time is given in a 24-hour clock format. For example,
to restrict logins to Sunday, Monday and Wednesday:
Su0830-1730,Mo0830-1730,We0830-1730
The hours are restricted to 8:30AM to 5:30PM. Specifies a date
on which logins will be disabled automatically. Specifies the
number of days until the account expires and is retired automat‐
ically. Specifies the number of days that can elapse before an
inactive account is locked automatically. Specifies the number
of failed login attempts that can occur before an account is
locked automatically. When an account becomes disabled because
of an expired password, break-in evasive action, or exceeded
login interval, a grace period provides an interval during which
the disabling condition is overridden and the user may log in.
This successful login will automatically clear the disabling
condition and the grace limit. Note that this does not unlock an
account that has been administratively locked or that has
expired. The grace limit specifies the number of days, starting
immediately, that the user has to log in and re-enable the
account. Specifies the template name to provide default
enhanced security features for users.
The following extended_option attributes are available for cre‐
ating PC accounts that can be assigned to client PC users on
systems running ASU: The user account name on the PC. This can
be identical to the user's UNIX account, or it can map to a
shared account. See the System Administration Guide for more
information on account mapping. See the RESTRICTIONS section
for more information. The backing UNIX account name. If no name
is entered it will be the same as the PC user account name. See
the RESTRICTIONS section for more information. The full name of
the user or a description of the account. A brief description
of the account that is modifiable only by the administrator. A
brief description of the account. This string can be changed by
the user. The path to the user's home directory, specified as
an ASU share format. The primary ASU group (domain) to which
the user belongs. The secondary ASU groups (domains) to which
the user belongs. This value is specified as a comma-delimited
list. A list of client host systems from which the user can log
on. This value is specified as a comma-delimited list, and a
null value (" ") means that the user can log on from all work‐
stations. The directory where the default login script is
located. This directory is created during ASU configuration.
Specifies whether the PC account is a local or global account in
the ASU domain. Specifies the date on which the account will
expire and logins will be prevented. Specifies the days of the
week and hours of the day during which logins will expire and
logins will be permitted or denied. See logon_hours for details
of the string format. Specifies the pathname to the default
user profile directory. Specifies whether the account is
locked, disabling logins. A text string that will be the ini‐
tial account password. Note that you must precede the pc_passwd
option with the -x option. Then you will be prompted to enter a
password, and then prompted to confirm the entry. The password
will not be echoed to the display. Controls whether the user
can set his or her own password. Forces password change during
the initial login. Specifies a forced log off when the user's
account or logon time expires. If there is a live server connec‐
tion when the time expires, and this value is set to 1, the con‐
nection will be dropped. This option is only available with the
-D option to change the default setting. A value of -1 speci‐
fies never, meaning that the user is not disconnected. The
account expires after the user logs off. Create synchronized PC
accounts if ASU is installed. You cannot use the pc_synchronize
option if the -P option is in use. See the RESTRICTIONS section
for additional information.
This option can be specified in combination with the -D option
to set the default value. Specifies the minimum number of days
that can elapse before a password can be changed by the user.
This option is only available with the -D option to change the
default setting. Specifies the maximum number of days that can
elapse before a password must be changed by the user. This
option is only available with the -D option to change the
default setting. Specifies the minimum number of characters in
a valid password string. This option is only available with the
-D option to change the default setting. Forces validation of
the password for uniqueness. This option is only available with
the -D option to change the default setting. This option is
equivalent to the passwd_history_limit option. Specifies the
new login name of the user. There are restrictions, described
below, on the length and allowable characters in the login name.
DESCRIPTION
The useradd command is part of a set of command-line interfaces (CLI)
that are used to create and administer user accounts on the system.
When The Advanced Server for UNIX (ASU) is installed and running, the
useradd command can also be used to create and administer PC accounts,
including synchronized creation of PC accounts whenever a UNIX account
is created. Accounts can also be created with the /usr/bin/X11/dxac‐
counts graphical user interface (GUI) or the sysman(8) Accounts menu.
Different options are available depending on how the local system is
configured: In the default UNIX environment, user account management is
compliant with the IEEE POSIX Standard P1387.3. If enhanced (C2) secu‐
rity is configured, additional options and extended options can be
used. The CLI is backwards-compatible, so all existing local scripts
will function. However, you should consider testing your legacy account
management scripts before use.
Invoking useradd without the -D option adds a new user entry to the
user database. It also creates supplementary group memberships for the
user if requested with the -G option, and creates the home directory
for the user if requested with the -m option.
Invoking useradd-D with no additional options displays the system
default values that are used when creating a new login account.
The default behavior on hte system for the useradd is as follows: dis‐
tributed=0, ldap=0, and local=1. With these values, the system adds the
user login account to the local database. Certain combinations of these
settings are incompatible and produce an error: it is invalid to set
all of these values to 0 or set more than one of them to 1.
If the user identification number (UID) is not specified, it defaults
to the next available (unique) number. The number is the next available
UID greater than minUID. The value nextUID specifies the next UID to
use. If not available, the next available UID greater than nextUID is
used.
When NIS or LDAP are available, the new user may be given secondary
group memberships with the -G option in more than one type of group.
The indicated groups are sought first in the database that is of the
same type as the user. If not found, the alternate database is checked.
If the group is not found in either database, a warning is issued but
the account is created.
The user database entries created with useradd cannot exceed 512 char‐
acters per line for local and NIS accounts. Specifying long arguments
to several options may exceed this limit.
RESTRICTIONS
Note the following restrictions that apply to this release:
You must have superuser privilege to execute this command.
Certain characters that have special meaning for the shells are not
allowed in the login name. This list includes $@/[]:;|=,*?(){}"' `#,
backslash (\), and white space (space, tab, newline, form-feed,
return). In addition, the first character of the new login name cannot
be one of +-!~.
The maximum length of the login name is an adustable system configura‐
tion parameter, but is guaranteed to be at least 8 characters. When
creating PC only accounts, the PC account will be backed to the UNIX
account lmworld. This account must exist when adding PC-only accounts.
The lmworld account is created when the ASU is installed.
When the -P option is used, the specified login is the PC
account name. When the -P option is not used, the specified
login is the UNIX account name. When the extended option pc_syn‐
chronize is used, the specified login is the UNIX account name.
The extended attribute pc_unix_username can only be used when
the -P option is specified on the command line. This extended
option is used to specify a UNIX account name when creating or
modifying a PC account. The extended attribute pc_username can‐
not be used when the -P option is specified on the command line.
It is used to specify a PC account name when creating or modify‐
ing a UNIX account. The pc_synchronize option cannot be used
with the -P option.
Distributed accounts can only be added or modified on NIS
servers.
Note that restrictions also apply when modifying existing account
attributes. Refer to the usermod(8) reference page for more informa‐
tion.
EXIT STATUS
The useradd command exits with one of the following values: Success.
Failure. Warning.
EXAMPLES
The following example adds the user, newuser, to the user database:
% useradd newuser The following example enables synchronized PC
accounts, and the second command adds a user Contractor1 who will then
have both a UNIX and a PC account using the system default account set‐
up options:
% usermod -D -x pc_synchronize=1
% useradd-x pc_logon_workstations=sofdev Contractor1 The following
example adds the user, newuser, to the user database with user id of
451: % useradd-u 451 newuser The following example adds the user,
newuser, using the next available UID with csh as the login shell. It
creates the user's home directory /home_dir/newuser, where /home_dir is
the default location for creating home directories: % useradd-m -s
/bin/csh newuser The following example adds the local user, xyz, that
overrides the default home directory in the NIS master database: %
useradd-t + -d /users/xyz xyz The following example changes the
default base directory to /user/users1 for all new users: % useradd-D
-b /user/users1 The following example adds the new user, xyz, to the
NIS master database: % useradd-x distributed=1 xyz The following exam‐
ple adds the new PC user, Contractor1, sets logon hours and the logon
system: % useradd-P-x / pc_logon_hours=Mo0900-2300,We0900-2300 /
pc_logon_workstations=sofdev Contractor1 The following example adds
the new PC user, Contractor1, supplying the PC password: % useradd-P
-x pc_passwd Contractor1 New PC password: Retype new PC password:
FILES
The useradd command operates on the appropriate files for the specific
level of system security.
SEE ALSO
Commands: groupadd(8), groupdel(8), groupmod(8), passwd(1),
userdel(8), usermod(8)
Manuals: System Administration,Security, Advanced Server for UNIX
Installation and Administration
useradd(8)
