 |
Index for
Section 8 |
|
 |
Alphabetical
listing for U |
|
 |
Bottom of
page |
|
useradd(8)
NAME
useradd - Adds a new user login account
SYNOPSIS
/usr/sbin/useradd [-c comment] [-d dir |-H home_dir] [-e expire] [-g group]
[-G group[,group...]] [-m] [-p] [-P] [-s shell] [-t type] [-u uid [-o]] [-x
extended_option] login
/usr/sbin/useradd -D [-d home_dir] [-e expire] [-f inactive] [-g group]
[-sshell] </arg> [-x extended_option]
OPTIONS
-c comment
A short description of the account, currently used as the field for
the user's full name in the user database file. The comment
argument can be any text string. If the text string contains
spaces, enclose the string in quotes.
-d dir Specifies the home directory of the new user. If not specified, dir
defaults to home_dir/login, where home_dir is the default directory
for user login accounts and login is the name of the new login
account. The -m option must be specified to create the user's home
directory
The -H cannot be used with this option.
-D Displays and sets the default values used by the account management
utilities for user and group information.
When used without arguments, this flag displays the default values.
If invoked with any combination of the flags listed by the usermod
-D command, it sets the default values for those flags. Subsequent
invocations of useradd or usermod use these new defaults.
-e expire
This option is only for use on systems running in enhanced security
mode and is useful for creating temporary logins. The value of the
expire argument is a date, and must be in one of the valid formats
listed below. A blank value ("") defeats the status of the expired
date. Note that if a two-digit year is specified, and the number is
>=69 and <=99, the year is assumed to be 19** (20th century).
Otherwise the year is assumed to be 20** (21st century). The
following date formats are valid:
·
mmm dd yy (Oct 27 97)
·
mmm dd ccyy (Oct 27 1997)
·
dd mmm yy (27 Oct 97)
·
dd mmm ccyy (27 Oct 1997)
·
mm-dd-yy (10-27-97)
·
mm-dd-ccyy (10-27-1997)
·
mm/dd/yy (10/27/97)
·
mm/dd/ccyy (10/27/1997)
·
mmddyy (102797)
·
mmddccyy (10271997)
·
mmdd (1027)
-f inactive
This option is only for use on systems running in enhanced security
mode and specifies the number of days that can elapse before an
inactive account is locked automatically. A value of 0 means there
is no limit. The default value is 0.
The default value for new accounts can be set by combining this
option with the -D option.
-g group
The account holder's primary group. The group argument can be
specified as an existing group's identification number (GID) or
character-string name.
The default value for new accounts can be set by combining this
option with the -D option.
-G group[,group...]
The user's secondary groups. This option is a comma separated list
of groups that defines the supplementary group membership for a new
user. Groups can be specified by the group's name or by its group
identification number (GID). An error is displayed for each group
that does not exist. Duplicate groups are ignored. See the
RESTRICTIONS section for more information.
-H home_dir
The path name of the home directory location. The path name is
combined with the login name to form the user's home directory. The
-m must be specified to create the user's home directory.
-m Creates the new user's home directory if it doesn't already exist.
If the directory already exists, it must have read, write and
execute permissions by group, where group is the user's primary
group. See also the -d and -H options.
-p Indicates that you want to supply a password. You will be prompted
to enter the password, which will not be echoed to the screen.
After entering a password, you will be prompted to verify it by
entering it a second time.
-P Creates a PC account only. This account is usable in an environment
using the Advanced Server for UNIX (ASU). See the RESTRICTIONS
section for additional information.
-s shell
Specifies the full path name of the program used as the user's
login shell. The shell argument must be a valid executable file.
The default value for new accounts can be set by combining this
option with the -D. If no default shell has been set, the login
shell for new users will be /bin/sh.
-t type Adds a local plus (+) or local minus (-) NIS user from the user
database. The value of the type parameter can be + or -.
-u uid Specifies the user identification number (UID) of the new user. The
uid must be specified as a non-negative decimal integer.
-o Allows a user identification (UID) number to be duplicated (non-
unique). This option can be used only with the -u option.
-x extended_option [extended_option...]
Extended options are of the form attribute=value. You may enter any
number of extended options (within the character limit of the
command line) by separating each option with a space.
Alternatively, they may be entered separately following the -x
switch. Note that some extended options are only available under
specific system environments.
A valid command string for extended options is:
% useradd -D -g 22 -b /home -x distributed=0
The following extended options are available:
local=0|1
Indicates that the account is local. This value can be set
as a default with the -D option and is incompatible with
the distributed option. If local is set to 1, distributed
is automatically set to 0.
distributed=0|1
Indicates that the account is a NIS user account. This
value can be set as a default with the -D option and is
incompatible with the local option. If distributed is set
to 1, local is automatically set to 0. You must be on the
NIS master to add a NIS user.
administrative_lock_applied=0|1
Indicates whether the account is to be locked by the system
administrator. If set to 0, the account is not locked. If
set to 1, (the default) the account is explicitly locked
and the user cannot log in to the system.
The following extended_option attributes are available only on
systems running in enhanced security mode.
passwd_expire_time=n
Specifies the time, in days, between the last password
change and the password expiration. (A new password must be
chosen.)
passwd_expire_date=date_string
The date on which the current password will expire. See the
-e option for a list of valid date formats.
passwd_choose_own=0|1
Allows the user to choose his or her own password.
passwd_run_generator=0|1
Forces the automatic password generator to run.
passwd_generated_length=n
Sets the maximum number of characters for generated
passwords.
passwd_checked_for_obviousness=0|1
Forces the automatic password checker to run.
passwd_min_change_time=n
Sets the minimum number of days that can elapse before a
password can be changed.
passwd_lifetime=n
Sets maximum number of days that can elapse before the
password must be changed by the user.
passwd_must_change=0|1
Forces a password change.
passwd_min_length=n
Sets the minimum number of characters in a password.
passwd_max_length=n
Sets the maximum number of characters in a password.
passwd_history_limit=n
Sets the maximum number of times a password must change
before it can be reused.
logon_hours=time-string
Sets the days of the week and hours of the day during which
the account holder can log in to the account. The time
string format is an entry of Dd0000-0000 for each day and
time that logins are enabled. Time is given in a 24-hour
clock format. For example, to restrict logins to Sunday,
Monday and Wednesday:
Su0830-1730,Mo0830-1730,We0830-1730
The hours are restricted to 8:30AM to 5:30PM.
account_expiration=date_string
Specifies a date on which logins will be disabled
automatically.
account_lifetime=n
Specifies a date on which the account will expire and will
be retired automatically.
account_inactive=n
Specifies the number of days that can elapse before an
inactive account is locked automatically.
max_login_attempts=n
Specifies the number of failed login attempts that can
occur before an account is locked automatically.
grace_limit=n
When an account becomes disabled because of an expired
password, break-in evasive action, or exceeded login
interval, a grace period provides an interval during which
the disabling condition is overridden and the user may log
in. This successful login will automatically clear the
disabling condition and the grace limit. Note that this
does not unlock an account that has been administratively
locked or that has expired. The grace limit specifies the
number of days, starting immediately, that the user has to
log in and re-enable the account.
template=template_name
Specifies the template name to provide default enhanced
security features for users.
The following extended_option attributes are available for creating
PC accounts that can be assigned to client PC users on systems
running ASU:
pc_username=name_string
The user account name on the PC. This can be identical to
the user's UNIX account, or it can map to a shared account.
See the System Administration Guide for more information on
account mapping. See the RESTRICTIONS section for more
information.
pc_unix_username=login_name
The backing UNIX account name. If no name is entered it
will be the same as the PC user account name. See the
RESTRICTIONS section for more information.
pc_fullname=text__string
The full name of the user or a description of the account.
pc_comment=text_string
A brief description of the account that is modifiable only
by the administrator.
pc_usercomment=text_string
A brief description of the account. This string can be
changed by the user.
pc_homedir=pathname
The path to the user's home directory, specified as an ASU
share format.
pc_primary_group=group
The primary ASU group (domain) to which the user belongs.
pc_secondary_groups=group[,group...]
The secondary ASU groups (domains) to which the user
belongs. This value is specified as a comma-delimited
list.
pc_logon_workstations=client_name
A list of client host systems from which the user can log
on. This value is specified as a comma-delimited list, and
a null value (" ") means that the user can log on from all
workstations.
pc_logon_script=pathname
The directory where the default login script is located.
This directory is created during ASU configuration.
pc_account_type=local|global
Specifies whether the PC account is a local or global
account in the ASU domain.
pc_account_expiration=date_string
Specifies the date on which the account will expire and
logins will be prevented.
pc_logon_hours=Dd0000-0000[,Dd0000-0000...]
Specifies the days of the week and hours of the day during
which logins will expire and logins will be permitted or
denied. See logon_hours for details of the string format.
pc_user_profile_path=pathname
Specifies the pathname to the default user profile
directory.
pc_disable_account =0|1
Specifies whether the account is locked, disabling logins.
pc_passwd
A text string that will be the initial account password.
Note that you must precede the pc_passwd option with the -x
option. Then you will be prompted to enter a password, and
then prompted to confirm the entry. The password will not
be echoed to the display.
pc_passwd_choose_own=0|1
Controls whether the user can set his or her own password.
pc_passwd_change_required=0|1
Forces password change during the initial login.
pc_forced_logoff=n_seconds
Specifies a forced log off when the user's account or logon
time expires. If there is a live server connection when the
time expires, and this value is set to 1, the connection
will be dropped. This option is only available with the -D
option to change the default setting. A value of -1
specifies never, meaning that the user is not disconnected.
The account expires after the user logs off.
pc_synchronize=0|1
Create synchronized PC accounts if ASU is installed. You
cannot use the pc_synchronize option if the -P option is in
use. See the RESTRICTIONS section for additional
information.
This option can be specified as a default or on the command
lin in combination with the -D option to set the default
value.
pc_min_passwd_age=n
Specifies the minimum number of days that can elapse before
a password can be changed by the user. This option is only
available with the -D option to change the default setting.
pc_max_passwd_age=n
Specifies the maximum number of days that can elapse before
a password must be changed by the user. This option is only
available with the -D option to change the default setting.
pc_passwd_min_length=n
Specifies the minimum number of characters in a valid
password string. This option is only available with the -D
option to change the default setting.
pc_passwd_uniqueness=n
Forces validation of the password for uniqueness. This
option is only available with the -D option to change the
default setting. This option is equivalent to the
passwd_history_limit option.
login Specifies the new login name of the user. There are restrictions,
described below, on the length and allowable characters in the
login name.
DESCRIPTION
The useradd command is part of a set of command-line interfaces (CLI) that
are used to create and administer user accounts on the system. When The
Advanced Server for UNIX (ASU) is installed and running, the useradd
command can also be used to create and administer PC accounts, including
synchronized creation of PC accounts whenever a UNIX account is created.
Accounts can also be created with the /usr/bin/X11/dxaccounts graphical
user interface (GUI) or the sysman(8) Accounts menu.
Different options are available depending on how the local system is
configured:
· In the default UNIX environment, user account management is compliant
with the IEEE POSIX Standard P1387.3.
· If enhanced (C2) security is configured, additional options and
extended options can be used.
· The CLI is backwards-compatible, so all existing local scripts will
function. However, you should consider testing your legacy account
management scripts before use.
Invoking useradd without the -D option adds a new user entry to the user
database. It also creates supplementary group memberships for the user if
requested with the -G option, and creates the home directory for the user
if requested with the -m option.
Invoking useradd -D with no additional options displays the system default
values that are used when creating a new login account.
The -x options local and distributed let the system administrator specify
whether the new user is local or distributed by NIS. If these options are
not specified on the command line, the system adds the new user to the
appropriate database as specified by the system defaults. System defaults
for users may be set with the usermod -D option. In the absence of any
defaults, useradd creates a local user. Certain combinations of these
settings are incompatible and produce an error: it is invalid to set both
of these values to 0 or both of them to 1.
If the user identification number (UID) is not specified, it defaults to
the next available (unique) number. The number is the next available UID
greater than minUID. The value nextUID specifies the next UID to use. If
not available, the next available UID greater than nextUID is used.
When NIS is available, the new user may be given secondary group
memberships with the -Goption in more than one type of group. The indicated
groups are sought first in the database that is of the same type as the
user. If not found, the alternate database is checked. If the group is not
found in either database, a warning is issued but the account is created.
The user database file entries created with useradd cannot exceed 512
characters per line for local and NIS accounts. Specifying long arguments
to several options may exceed this limit.
RESTRICTIONS
Note the following restrictions that apply to this release:
You must have superuser privilege to execute this command.
Certain characters that have special meaning for the shells are not allowed
in the login name. This list includes $@/[]:;|=,*?<>(){}"'`#, backslash
(\), and white space (space, tab, newline, form-feed, return). In addition,
the first character of the new login name cannot be one of +-!~.
The maximum length of the login name is 8 characters in this release.
-P option
When creating PC only accounts, the PC account will be backed to
the UNIX account lmworld. This account must exist when adding PC-
only accounts. The lmworld account is created when the ASU is
installed.
When the -P option is used, the specified login is the PC account
name. When the -P option is not used, the specified login is the
UNIX account name. When the extended option pc_synchronize is used,
the specified login is the UNIX account name.
pc_unix_username extended option
The extended attribute pc_unix_username can only be used when the
-P option is specified on the command line. This extended option is
used to specify a UNIX account name when creating or modifying a PC
account.
pc_username extended option
The extended attribute pc_username cannot be used when the -P
option is specified on the command line. It is used to specify a PC
account name when creating or modifying a UNIX account.
pc_synchronize extended option
The pc_synchronize option cannot be used with the -P option.
Distributed accounts can only be added or modified on NIS servers.
Note that restrictions also apply when modifying existing account
attributes. Refer to the usermod(8) reference page for more information.
EXIT STATUS
The useradd command exits with one of the following values:
0 Success.
1 Failure.
2 Warning.
EXAMPLES
1. The following example adds the user, newuser, to the user database:
% useradd newuser
2. The following example enables synchronized PC accounts, and the second
command adds a user Contractor1 who will then have both a UNIX and a
PC account using the system default account setup options:
% usermod -D -x pc_synchronize=1
% useradd -x pc_logon_workstations=sofdev Contractor1
3. The following example adds the user, newuser, to the user database
with user id of 451:
% useradd -u 451 newuser
4. The following example adds the user, newuser, using the next available
UID with csh as the login shell. It creates the user's home directory
/home_dir/newuser, where /home_dir is the default location for
creating home directories:
% useradd -m -s /bin/csh newuser
5. The following example adds the local user, xyz, that overrides the
default home directory in the NIS master database:
% useradd -t + -d /users/xyz xyz
6. The following example changes the default base directory to
/user/users1 for all new users:
% useradd -D -b /user/users1
7. The following example adds the new user, xyz, to the NIS master
database:
% useradd -x distributed=1 xyz
8. The following example adds the new PC user, Contractor1, sets logon
hours and the logon system:
% useradd -P -x /
pc_logon_hours=Mo0900-2300,We0900-2300 /
pc_logon_workstations=sofdev Contractor1
9. The following example adds the new PC user, Contractor1, supplying the
PC password:
% useradd -P -x pc_passwd Contractor1
New PC password:
Retype new PC password:
FILES
The useradd command operates on the appropriate files for the specific
level of system security.
SEE ALSO
Commands: groupadd(8), groupdel(8), groupmod(8), passwd(1), userdel(8),
usermod(8)
Manuals: System Administration, Security, Advanced Server for UNIX
Installation and Administration
|
Index for
Section 8 |
|
|
Alphabetical
listing for U |
|
 |
Top of
page |
|