usermod - Modifies a user's login information on the system.
/usr/sbin/usermod [-u uid[-o]] [-l login_name] [-g group] [-G
group[,group...]] [-c comment] [-d dir [-m]] [-s shell] [-e expire] [-f
inactive] [-t type] login
/usr/sbin/usermod [-c comment] [-d dir [-m]] [-g group] [-G
group[,group...]] [-H home_dir] [-p] [-l login_name] [-P] [-s shell] [-t
type] [-u uid[-o]] [-x extended_option] login
/usr/sbin/usermod -D [-g group] [-s shell] [-d dir] [-e expire] [-f inac-
tive] [-x extended_option]
Modifies the description of the account, currently used as the
field for the user's full name in the user database file. The com-
ment argument can be any text string. If the text string contains
spaces, enclose the string in quotes.
Sets the pathname of the user's home directory location. The path-
name is combined with the login name to form the full path of the
home directory. The -H option cannot be used with the -d option,
but see also the -m option.
-d dir Specifies the full path to the home directory where the user
account resides. If not specified, dir defaults to home_dir/login,
where home_dir is the default directory for user login accounts and
login is the name of the new login account. The -d option cannot be
used with the -H option, but see also the -m option.
-m Moves the user's home directory to the new location. This option
must be combined with either the -H or -d options.
-p Indicates that you want to supply a password. You are prompted to
enter the password, which is not echoed to the screen. After enter-
ing a password, you are prompted to verify it by entering it a
-P Modify a PC account created by useradd with this switch. This
account is usable in an environment with the Advance Server for
-D Displays and sets the default values used by the account management
utilities for user and group information.
When used without arguments, this flag displays the default values.
If invoked with any combination of the flags listed by the usermod
-D command, it sets the default values for those flags. Subsequent
invocations of usermod use these new defaults. For example, in the
POSIX environment, the following command sets the group to be pro-
ject, the account to be local and the minimum UID to be 300 for any
new account that is subsequently created:
# usermod -D -g project -x local=1 min_uid=300
This option is only for use on SVE systems running in enhanced
security mode and is useful for creating temporary logins. The
value of the expire argument is a date. See the useradd(8) refer-
ence page for a list of valid date formats. A blank value ("")
defeats the status of the expired date. Set the extended option -x
account_expiration for the default value. Note that if a two-digit
year is specified, and the number is >=69 and <=99, the year is
assumed to be 19** (20th century). Otherwise the year is assumed to
be 20** (21st century).
Changes the account holder's primary group. The group argument can
be specified as an existing group's identification number (GID) or
character-string name. You can use the -D option to set the default
primary group for new logins.
Modifies user's secondary groups. This option is a comma-separated
list of groups that defines the supplementary group membership for
the user. This is a replacement operation that will add or remove
the user from supplementary groups as necessary. All the groups in
which membership is desired must be listed. Groups can be specified
by the group's name or by group identification number (GID). An
error is displayed for each group that does not exist. Duplicate
groups are ignored.
Changes the user's login name. The login name has the same restric-
tions as described for new users in useradd(8).
Modifies the user's login shell. It specifies the full pathname of
the program used as the user's login shell. The shell argument must
be a valid executable file. When used with the -D option, -s
defines the system default.
-t type Changes user's account type to local plus (+) or local (-) NIS user
in the user database. The value of the type parameter can be + or
-u uid Modifies the user identification number (UID) of the new user. The
uid must be specified as a non-negative decimal integer.
-o When modifying a UID, allows a user identification (UID) number to
be duplicated (non-unique). This option can be used only with the
-x extended_option [extended_option]...
Extended_options are of the form attribute=-value. You may enter
any number of extended options (within the character limit of the
command line) by separating each option with a space. Alterna-
tively, they may be entered separately following the -x switch.
Note that some extended options are only available under specific
The following sets ofextended_option attributes are available: The
following sets of extended_option attributes are available. You can
enter any number of options (within the character limit of the com-
mand line) by separating each option with a space.Alternatively,
they may be entered separately following the -x switch. Note that
some extended options are only available under specific system
To review the current defaults, use the following command:
A valid command string for extended options would be:
usermod -D -x distributed=1 next_UID=300 \
The following extended_option are available:
Indicates whether the account is local. This value can be
set as a default with the -D option and is incompatible
with the distributed option. If local is set to 1, distri-
buted is automatically set to 0.
Indicates that the account is a NIS user account. This
value can be set as a default with the -D option and is
incompatible with the local option. If distributed is set
to 1, local option is automatically set to 0. You must be
on the NIS master to modify a NIS user.
Specifies the minimum UID value. This value can only be set
as a default with the -D option.
Specifies the maximum UID value. This value can only be set
as a default with the -D option.
Specifies the next sequential unassigned UID. This value
can only be set as a default with the -D option.
Allows the UID to be a duplicate of an existing UID. This
value can only be set as a default with the -D option.
Specifies the parent directory where home directories will
be created by default, such as /usr/users. This option can
only be used with the -D option to set a default.
Specifies the directory where skeleton files reside. Files
in this directory are copied to new home directories when
they are created. This option can only be used with the -D
option to set a default.
Specifies the maximum number of groups to which a user can
belong. This value can only be set as a default with the -D
Specifies the hashed password database. This value can only
be set as a default with the -D option.
Locks the account. A value of 1 locks the specified
account, and a value of 0 will unlock it. The default is 1.
The following extended_option attributes are available only on
systems running in enhanced security mode:
Specifies the time, in days, between the last password
change and the password expiration. (A new password must be
chosen.) The value of n must be an integer. If the value of
the passwd_expiration_time attribute is set to 0, there is
no password expiration time.
Specifies the time, in days, between the last password
change and the expiration of the account. The value of n
must be a non-negative integer. If the passwd_lifetime
attribute is set to 0, the password lifetime is infinite.
Specifies the time, in days, which must pass before a user
can change the user account password. The value of n must
be a non-negative integer. A value of 0 means there is no
minimum time to change the user account password.
The date on which the current password will expire. See
the -e option for a list of valid date formats.
Allows the user to choose his or her own password.
Forces the automatic password generator to run.
Sets the maximum number of characters for generated pass-
Forces the automatic password checker to run.
Forces a password change.
Sets the minimum number of characters in a password.
Sets the maximum number of characters in a password.
Sets the number of times that the password must be changed
before a password can be reused.
Sets the days of the week and hours of the day during which
the account holder can log in to the account. The time
string format is an entry of Dd0000-0000 for each day and
time that logins are enabled. Time is given in a 24-hour
clock format. For example, to restrict logins to Sunday,
Monday and Wednesday:
The hours are restricted to 8:30AM to 5:30PM.
Specifies a date on which logins will be disabled automati-
Specifies a date on which the account will expire and will
be retired automatically.
Specifies the number of days that can elapse before an
inactive account is locked automatically.
Specifies the number of failed login attempts that can
occur before an account is locked automatically.
When an account becomes disabled because of an expired
password, break-in evasive action, or exceeded login inter-
val, a grace period provides an interval during which the
disabling condition is overridden and the user may log in.
This successful login will automatically clear the disa-
bling condition and the grace limit. Note that this does
not unlock an account that has been administratively locked
or that has expired. The grace limit specifies the number
of days, starting immediately, that the user has to log in
and re-enable the account.
Specifies the template name to provide default enhanced
security features for users.
The following extended_option attributes are available for PC group
administration if the Advanced Server for UNIX (ASU) is configured
The user account name on the PC. This can be identical to
the user's UNIX account, or it can map to a shared account.
See the System Administration Guide for more information on
The backing UNIX account name, if no name is entered it
will be the same as the PC usr account name.
The full name of the user or a description of the account.
A brief description of the account that is modifiable only
by the administrator.
A brief description of the account. This string can be
changed by the user.
The path to the user's home directory, specified as an ASU
The primary ASU group (domain) to which the user belongs.
The secondary ASU groups (domains) to which the user
belongs. This value is specified as a comma-delimited list.
A list of client host systems from which the user can log
on. This value is specified as a comma-delimited list and a
null value (" ") means that the user can log on from all
The directory where the default logon script is located.
This directory is created during ASU configuration.
Specifies whether the PC account is a local or global
account in the ASU domain.
Specifies the date on which the account will expire and
logins will be prevented.
Specifies the days of the week and hours of the day during
which logins will expire and logons will be permitted or
denied. See logon_hours for details of the string format.
Specifies the pathname to the default user profile direc-
Specifies whether the account is locked, disabling logins.
A text string that will be the initial account password.
Note that you must precede the pc_passwd option with the -x
option and you will be prompted to enter a password and
then confirm the entry. The password will not be echoed to
Controls whether the user can set their own password.
Forces password change during the initial login.
Specifies a forced log off when the user's account or logon
time expires. If there is a live server connection when the
time expires, and this value is set to 1, the connection
will be dropped. This option is only available with the -D
option to change the default setting. A value of -1 speci-
fies never, meaning that the user is not disconnected. The
account expires after the user logs off.
Sets the PC synchronized status to off (0) or on (1).
Specifies the minimum number of days that can elapse before
a password can be changed by the user. This option is only
available with the -D option to change the default setting.
Specifies the maximum number of days that can elapse before
a password must be changed by the user. This option is only
available with the -D option to change the default setting.
Specifies the minimum number of characters in a valid
password string. This option is only available with the -D
option to change the default setting.
Forces validation of the password for uniqueness. This
option is only available with the -D option to change the
default setting. This option is equivalent to the
login Specifies the new login name of the user. You cannot specify a new
login name for PC users. Refer to the Advanced Server for UNIX
(ASU) documentation for more information.
The usermod command is part of a set of command-line interfaces (CLI) that
are used to create and administer user accounts on the system. When The
Advanced Server for UNIX (ASU) is installed and running, the usermod com-
mand can also be used to administer Windows NT domain (PC) accounts,
including simultaneous (synchronized) modification of PC accounts or modif-
ications to PC accounts alone. Accounts can also be modified with the
/usr/bin/X11/dxaccounts graphical user interface (GUI) or the sysman(8)
Different options are available depending on how the local system is con-
+ In the default UNIX environment, user account management is compliant
with the IEEE POSIX Standard P1387.3-1996.
+ If enhanced (C2) security is configured, additional options and
extended options can be used.
+ The CLI is backwards-compatible, so all existing local scripts will
function. However, you should consider testing your account management
scripts before use.
The usermod command modifies a user's login definition on the system and
makes the login-related changes in the appropriate system files determined
by the current level of security.
The system file entries modified with this command have a limit of 512
characters per line. Specifying long arguments to several options may
exceed this limit.
The -x options local and distributed let the system administrator specify
whether the user being modified is local or distributed by NIS. If these
options are not specified on the command line, the system modifies the user
in the appropriate database as specified by the system defaults. System
defaults for users may be set with the usermod -D option. In the absence of
any defaults, usermod modifies a local user. Certain combinations of these
settings are incompatible and produce an error: it is invalid to set both
values to 0 or both of them to 1.
Note the following restrictions that apply to this release:
You must have superuser privilege to execute this command.
When creating or modifying PC only accounts, the PC account will be
backed to the UNIX account lmworld. This account must exist when
adding PC only accounts. The lmworld account is created when the
ASU kit is installed.
When modifying a synchronized PC and UNIX account that has dif-
ferent UNIX and PC account names, the following conditions apply:
+ If the -P flag is specified, pc_unix_username specifies the
UNIX account and the specified login is the PC account.
+ If the -P flag not given, pc_username specifies the PC
account and the specified login is the UNIX account.
pc_unix_username extended option
The extended attribute pc_unix_username can only be used when the
-P option is specified on the command line. This extended option is
used to specify a UNIX account name when creating or modifying a PC
pc_username extended option
The extended attribute pc_username cannot be used when the -P
option is specified on the command line. It is used to specify a PC
account name when creating or modifying a UNIX account.
pc_synchronize extended option
The pc_synchronize option cannot be used with the -P option.
The usermod command exits with one of the following values:
1. The following example changes the UID of the user, newuser, to 451 in
the user database:
% usermod -u 451 newuser
2. The following example changes the home directory of the user, xyz to
/users/xyz, and moves the files from the user's current directory to
the new directory:
% usermod -d /users/xyz -m xyz
3. The following example unlocks a user account that has been administra-
% usermod -x administrative_lock_applied=0 username
4. The following example gives a one day grace period during which a user
may log in to an account that has been disabled:
% usermod -x grace_limit=1 username
5. The following example changes the login shell of the user, abc, in the
NIS master database on the system where the command is executed:
% usermod -s /bin/csh -x distributed=1 abc
6. The following example changes the user's login name from abc to xyz:
% usermod -l xyz abc
7. The following example shows a typical output of default settings using
the -D option alone:
% usermod -D
Local = 1
Distributed = 0
Minimum User ID = 12
Next User ID = 200
Maximum User ID = 4294967293
Duplicate User ID = 0
Use Hashed Database = 0
Max Groups Per User = 32
Base Home Directory = /usr/users
Administrative Lock = 1
Primary Group = users
Skeleton Directory = /usr/skel
Shell = /bin/sh
Synchronized UNIX/PC Accts = 0
PC Minimum Password Length = 8
PC Minimum Password Age = 30
PC Maximum Password Age = 90
PC Password Uniqueness = 1
PC Force Logoff After = 4294967295
8. The following example changes the primary group of the user, abc, to
% usermod -g 15 abc
9. The following example enables the creation of synchronized PC accounts
and sets the minimum user ID (UID) and the next user ID to be used:
% usermod -D -x pc_synchronize=1 \
10. The following example applies to the user's PC account only. It
unlocks the account and sets the allowed logins from 8:00 AM to 11:00
PM on Monday:
% usermod -P -x pc_disable_account=0 \
11. The following example shows how to modify a PC user's password:
% usermod -P -x pc_passwd StudentB
The usermod command operates on the appropriate files for the specific
level of system security.
Commands: groupadd(8), groupdel(8), groupmod(8), useradd(8), userdel(8)
Manuals: System Administration, Security, Advanced Server for UNIX Instal-
lation and Administration