useradd(8) System Manager's Manual useradd(8)
useradd - Adds a new user login account
/usr/sbin/useradd [-c comment] [-d dir [-e expire]] [-m] [-g group] [-G group[, group...]] [-H home_dir] [-p] [-P] [-R] [-s shell] [-t
type] [-u uid [-o]] [-x extended_option] login
/usr/sbin/useradd [-mpPR] [-c comment] [-d dir] [-e expire] [-ggroup] [-G group,group...] [-H home_dir] [-s shell] [-t type] [-u uid[o]]
[-x extended_option] login
A short description of the account, currently used as the field for the user's full name in the user database file. The comment argument
can be any text string. If the text string contains spaces, enclose the string in quotes. Specifies the home directory of the new user. If
not specified, dir defaults to base_dir/login, where base_dir is the default directory for user login accounts and login is the name of the
new login account. The -m option is specified to create the user's home directory. The -H option cannot be used with this option. Creates
the new user's home directory if it doesn't already exist. If the directory already exists, it must have read, write and execute permis-
sions by group, where group is the user's primary group. See also the -d option. This option is only for use on systems running in
enhanced security mode and is useful for creating temporary logins. The value of the expire argument is a date, must be in the format
10/27/97. A blank value ("") defeats the status of the expired date. Note that if a two-digit year is specified, and the number is >=69 and
<=99, the year is assumed to be 19** (20th century). Otherwise the year is assumed to be 20** (21st century). Valid date formats are: mmm
dd yy (Oct 27 97) mmm dd ccyy (Oct 27 1997) dd mmm yy (27 Oct 97) dd mmm ccyy (27 Oct 1997) mm-dd-yy (10-27-97) mm-dd-ccyy (10-27-1997)
mm/dd/yy (10/27/97) mm/dd/ccyy (10/27/1997) mmddyy (102797) mmddccyy (10271997) mmdd (1027) Specifies the number of days that can elapse
before an inactive account is locked automatically. A value of 0 means there is no limit. The default value is 0. The default value can be
set by combining this option with the -D option. The account holder's primary group. The group argument can be specified as an existing
group's identification number (GID) or character-string name.
When used without the -D option, it specifies the primary group for the new user login account. The user's secondary groups. This
option is a comma separated list of groups that defines the supplementary group membership for a new user. Groups can be specified
by the group's name or by its group identification number (GID). An error is displayed for each group that does not exist. Duplicate
groups are ignored. See the RESTRICTIONS section for more information. The path name of the home directory location. The path name
is combined with the login name to form the full path of the home directory. The -d option cannot be used with this option. Indi-
cates that you want to supply a password. You will be prompted to enter the password, which will not be echoed to the screen. After
entering a password, you will be prompted to verify it by entering it a second time. Creates a PC account only. This account is
usable in an environment using the Advanced Server for UNIX (ASU). See the RESTRICTIONS section for additional information. Retires
the account, without removing user directories. This option is valid only when enhanced security is enabled. When used without the
-D option, it specifies the full path name of the program used as the user's login shell. If both the -D and -s options are not
specified, the user's login shell defaults to /bin/sh. The shell argument must be a valid executable file.
When used with the -D option, it defines the system default. Adds a local plus (+) or local minus (-) NIS user from the user data-
base. The value of the type parameter can be + or -. Specifies the user identification number (UID) of the new user. The uid must
be specified as a non-negative decimal integer. Allows a user identification (UID) number to be duplicated (non-unique). This
option can be used only with the -u option. The following sets of extended_option attributes are available. You can enter any num-
ber of options (within the character limit of the command line) by separating each option with a space. Note that some extended
options are only available under specific system environments.
A valid command string for extended options is: % useradd -D -g 22 -b /home -x distributed=0
The following extended options are available: Indicates that the account is a NIS user account. This value can be set as a default
with the -D option and is incompatible with the local option. If distributed is set to 1, local is automatically set to 0. The sys-
tem default is 1 (locked). Indicates that the account is local. This value can be set as a default with the -D option and is incom-
patible with the distributed. If local is set to 1, distributed is automatically set to 0. Indicates whether or not the account is
locked by the system administrator. The value of the administrative_lock_applied=n attribute can be 0 or 1. If set to 0, the account
is not locked. If set to 1, (the default) the account is explicitly locked by the system administrator. Create synchronized PC
accounts if ASU is installed. You cannot use the pc_synchronize option if the -P option is in use. See the RESTRICTIONS section for
additional information. Note that this option can be specified as a default or on the command line.
The following extended_option attributes are available only on systems running in enhanced security mode. Specifies the time, in
days, between the last password change and the password expiration. (A new password must be chosen.) The date on which the current
password will expire. See the -e option for a list of valid date formats. Allows the user to choose their own password. Forces the
automatic password generator to run. Sets the number of characters for generated passwords Forces the automatic password checker to
run. Sets the minimum number of days that can elapse before a password can be changed. Sets maximum number of days that can elapse
before the password must be changed by the user. Forces a password change. Sets the minimum number of characters in a password.
Sets the maximum number of characters in a password. Sets the maximum number of times a password must change before it can be
reused. Sets the days of the week and hours of the day during which the account holder can log in to the account. The time string
format is an entry of Dd0000-0000 for each day and time that logins are enabled. Time is given in a 24-hour clock format. For exam-
ple, to restrict logins to Sunday, Monday and Wednesday: Su0830-1730,Mo0830-1730,We0830-1730
The hours are restricted to 8:30AM to 5:30PM. Specifies a date on which logins will be disabled automatically. Specifies a date on
which the account will expire and will be retired automatically. Specifies the number of days that can elapse before an inactive
account is locked automatically. Specifies the number of failed login attempts that can occur before an account is locked automati-
cally. When an account becomes disabled because of an expired password, break-in evasive action, or exceeded login interval, a
grace period provides an interval during which the disabling condition is overridden and the user may log in. This successful login
will automatically clear the disabling condition and the grace limit. Note that this does not unlock an account that has been admin-
istratively locked or that has expired. The grace limit specifies the number of days, starting immediately, that the user has to
log in and re-enable the account. Specifies the template name to provide default enhanced security features for users.
The following extended_option attributes are available for creating PC accounts that can be assigned to client PC users on systems
running ASU: The user account name on the PC. This can be identical to the user's UNIX account, or it can map to a shared account.
See the System Administration Guide for more information on account mapping. See the RESTRICTIONS section for more information The
backing UNIX account name, if no name is entered it will be the same as the PC usr account name. See the RESTRICTIONS section for
more information. The full name of the user or a description of the account. A brief description of the account that is modifiable
only by the administrator. A brief description of the account. This string can be changed by the user. The path to the user's home
directory, specified as an ASU share format. The primary ASU group (domain) to which the user belongs. The secondary ASU groups
(domains) to which the user belongs. This value is specified as a comma-delimited list. A list of client host systems from which
the user can log on. This value is specified as a comma-delimited list and a null value (" ") means that the user can log on from
all workstations. The directory where the default login script is located. This directory is created during ASU configuration.
Specifies whether the PC account is a local or global account in the ASU domain. Specifies the date on which the account will
expire and logins will be prevented. Specifies the days of the week and hours of the day during which logins will expire and logins
will be permitted or denied. See logon_hours for details of the string format. Specifies the pathname to the default user profile
directory. Specifies whether the account is locked, disabling logins. A text string that will be the initial account password.
Note that you must precede the pc_passwd option with the -x option and you will be prompted to enter a password, and then confirm
the entry. The password will not be echoed to the display. Controls whether the user can set their own password. Forces password
change during the initial login. Specifies a forced log off when the user's account or logon time expires. If there is a live
server connection when the time expires, and this value is set to 1, the connection will be dropped. This option is only available
with the -D option to change the default setting. A value of -1 specifies never, meaning that the user is not disconnected. The
account expires after the user logs off. Specifies the minimum number of days that can elapse before a password can be changed by
the user. This option is only available with the -D option to change the default setting. Specifies the maximum number of days that
can elapse before a password must be changed by the user. This option is only available with the -D option to change the default
setting. Specifies the minimum number of characters in a valid password string. This option is only available with the -D option to
change the default setting. Forces validation of the password for uniqueness. This option is only available with the -D option to
change the default setting. This option is equivalent to the passwd_history_limit option. Specifies the new login name of the
user. It can be a string of any printable characters, except a colon (:) or newline (
The useradd command is part of a set of command-line interfaces (CLI) that are used to create and administer user accounts on the system.
When The Advanced Server for UNIX (ASU) is installed and running, the useradd command can also be used to create and administer PC
accounts, including synchronized creation of PC accounts whenever an UNIX account is created. Accounts can also be created with the
/usr/bin/X11/dxaccounts graphical user interface (GUI).
Different options are available depending on how the local system is configured: In the default UNIX environment, user account management
is compliant with the IEEE POSIX Draft P13873.3 standard. If enhanced (C2) security is configured, additional options and extended options
can be used. The CLI is backwards-compatible, so all existing local scripts will function. However, you should consider testing your
legacy account management scripts before use.
Invoking useradd without the -D option adds a new user entry to the user database. It also creates supplementary group memberships for the
user (with the -G option) and creates the home directory for the user, if requested with the -m option.
Invoking useradd -D with no additional options displays the system default values that are used when creating a new login account.
With the -x option, the system administrator can specify extended options, such as whether the user login account to be modified is local
or whether it resides in the NIS master database. If the -x option is not specified, the user login account is modified from the appropri-
ate database as specified by the system defaults.
The default behavior on the system for the useradd command is distributed=0 and local=1. With these values, the system adds the user login
account to the local database by default. Setting the distributed= and local= attributes to the same value (for example, distributed=0 and
local=0) produces an error.
If the user identification number (UID) is not specified, it defaults to the next available (unique) number. The number is the next avail-
able UID greater than minUID. The value nextUID specifies the next UID to use. If not available, the next available UID greater than nex-
tUID is used.
The user database file entries created with useradd cannot exceed 512 characters per line. Specifying long arguments to several options may
exceed this limit.
You must have superuser privilege to execute this command.
Note the following restrictions that apply to this release: When creating PC only accounts, the PC account will be backed to the UNIX
account lmworld. This account must exist when adding PC only accounts. The lmworld account is created when the ASU is installed.
When the -P option is used, the specified login is the PC account name. When the -P option is not used, the specified login is the
UNIX account name. When the extended option pc_synchronize is used, the specified login is the UNIX account name. The extended
attribute pc_unix_username can only be used when the -P option is specified on the command line. This extended option is used to
specify a UNIX account name when creating or modifying a PC account. The extended attribute pc_username cannot be used when the -P
option is specified on the command line. It is used to specify a PC account name when creating or modifying a UNIX account. The
pc_synchronize option cannot be used with the -P option.
Distributed accounts can only be added or modified on NIS servers.
Note that restrictions also apply when modifying existing account attributes. Refer to the usermod(8) reference page for more information.
The useradd command exits with one of the following values: Success. Failure. Warning.
The following example adds the user, newuser, to the user database: % useradd newuser The following example enables synchronized PC
accounts, and the second command adds a user Contractor1 who will then have both a UNIX and a PC account using the system default account
set up options: % usermod -D -x pc_synchronize=1
% useradd -x pc_logon_workstations=sofdev Contractor1 The following example adds the user, newuser, to the user database with user id of
451: % useradd -u 451 newuser The following example adds the user, newuser, using the next available UID with csh as the login shell, and
creates the home directory /basehome_dir/newuser: % useradd -m -s /bin/csh newuser The following example adds the local user, xyz, that
overrides the default home directory in the NIS master database: % useradd -t + -d /users/xyz xyz The following example changes the default
base directory to /user/users1 for all new users: % useradd -D -b /user/users1 The following example adds the new user, xyz, to the NIS
master database: % useradd -x distributed=1 xyz The following example adds the new PC user, Contractor1, sets logon hours and the logon
system: % useradd -P -x Contractor1 / pc_logon_hours=Mo0900-2300,We0900-2300 / pc_logon_workstations=sofdev The following example adds
the new PC user, Contractor1, showing the password: % useradd -P -x pc_passwd Contractor1 New PC password: Retype new PC password:
Note that depending on the status of the pc_synchronize option, you may be required to confirm the password twice, once for the UNIX
account and once for the PC account.
The useradd command operates on the appropriate files for the specific level of system security.
Commands: groupadd(8), groupdel(8), groupmod(8), passwd(1), userdel(8), usermod(8)
Manuals: System Administration, Security, Advanced Server for UNIX Installation and Administration