useradd Command

Purpose

Creates a new user account.

Syntax

useradd [ -c comment ] [ -d dir ] [ -e expire ] [ -g group ] [ -G group1,group2 ... ] [ -m [ -k skel_dir ] ] [ -u uid ] [ -s shell ] [ -r role1,role2 ... ] login

Description

The useradd command creates a new user account. The login parameter must be a unique string (its length is can be configured by administrators using the chdev command). You cannot use the ALL or default keywords in the user name.

The useradd command does not create password information for a user. It initializes the password field with an asterisk (*). Later, this field is set with the passwd or pwdadm command. New accounts are disabled until the passwd or pwdadm commands are used to add authentication information to the /etc/security/passwd file.

The useradd command always checks the target user registry to make sure the ID for the new account is unique to the target registry. The useradd command can also be configured to check all user registries of the system using the dist_uniqid system attribute. The dist_uniqid system attribute is an attribute of the usw stanza of the /etc/security/login.cfg file, and can be managed using the chsec command.

The dist_uniqid system attribute has the following values:
never
Does not check for ID collision against the nontarget registries. This is the default setting.
always
Checks for ID collision against all other registries. If collision is detected between the target registry and any other registry, account creation or modification fails.
uniqbyname
Checks for ID collision against all other registries. Collision between registries is allowed only if the account to be created has the same name as the existing account.
Note: ID collision detection in the target registry is always enforced regardless of the dist_uniqid system attribute.

The uniqbyname system attribute setting works well against two registries. With more than two registries, and with ID collision already existing between two registries, the behavior of the useradd command is unspecified when creating a new account in a third registry using colliding ID values. The new account creation might succeed or fail depending on the order in which the registries are checked.

The check for ID collision only enforces ID uniqueness between the local registry and remote registries, or between remote registries. There is no guarantee of ID uniqueness between the newly created account on the remote registry and existing local users on other systems that make use of the same remote registry. The useradd command bypasses a remote registry if the remote registry is not reachable at the time the command is run.

Flags

Item Description
-c comment Supplies general information about the user specified by the login parameter. The comment parameter is a string with no embedded colon (:) characters and cannot end with the characters '#!'.
-d dir Identifies the home directory of the user specified by the login parameter. The dir parameter is a full path name.
-e expire Identifies the expiration date of the account. The expire parameter is a 10-character string in the MMDDhhmmyy form, where MM is the month, DD is the day, hh is the hour, mm is the minute, and yy is the last 2 digits of the years 1939 through 2038. All characters are numeric. If the expire parameter is 0, the account does not expire. The default is 0. See the date command for more information.
-g group Identifies the user's primary group. The group parameter must contain a valid group name and cannot be a null value.
-G group1,group2,... Identifies the groups the user belongs to. The group1,group2,... parameter is a comma-separated list of group names.
-k skel_dir Copies default files from skel_dir to user's home directory. Used only with -m flag.
-m Makes user's home directory if it does not exist. The default is not to make the home directory.
-r role1,role2,... Lists the administrative roles for this user. The role1,role2,... parameter is a list of role names, separated by commas.
-s shell Defines the program run for the user at session initiation. The shell parameter is a full path name.
-u uid Specifies the user ID. The uid parameter is a unique integer string. Avoid changing this attribute so that system security will not be compromised.

Exit Status

Item Description
0 The command completed successfully.
>0 An error occurred.

Security

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in AIX® Version 7.1 Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

  1. To create the davis user account with default values, enter:
    useradd davis

Restrictions

To prevent login inconsistencies, avoid composing user names entirely of uppercase alphabetic characters. While the useradd command supports multibyte user names, restrict user names to characters with the POSIX-portable filename character set.

To ensure that your user database remains uncorrupted, you must be careful when naming users. User names must not begin with a hyphen (-), plus sign (+), at sign (@), or tilde (~). You cannot use the keywords ALL or default in a user name. Additionally, do not use any of the following characters within a user-name string:
Item Description
: Colon
" Double quote
# Pound sign
, Comma
= Equal sign
\ Back slash
/ Slash
? Question mark
' Single quote
ˋ Back quote

Finally, the login parameter cannot contain any space, tab, or newline characters.

Location

/usr/sbin/useradd

Files

The useradd command has read and write permissions to the following files.

Item Description
/etc/passwd Contains the basic attributes of users.
/etc/security/user Contains the extended attributes of users.
/etc/security/user.roles Contains the administrative role attributes of users.
/etc/security/limits Defines resource quotas and limits for each user.
/etc/security/environ Contains the environment attributes of users.
/etc/security/audit/config Contains audit configuration information.
/etc/security/lastlog Contains the last login attributes of users.
/etc/group Contains the basic attributes of groups.
/etc/security/group Contains the extended attributes of groups.