AIX User and Group Administration

10/29/13
developerWorks
AIX user and group administration
Technical topics
AIX and UNIX
Technical library

Dive into the configuration files behind users and groups in IBM AIX, as well as command-line tools designed to help
manage the users and groups easily.
Adam Cormany is currently the manager of the National Data Center, but he has also been a UNIX systems engineer, a UNIX administrator, and
operations manager for Scientific Games Corporation. Adam has worked extensively with AIX as well as in Solaris and Red Hat Linux
administration for more than 10 years. He is an IBM eServer-Certified Specialist in pSeries AIX System Administration. In addition to
administration, Adam has extensive knowledge of shell scripting in Bash, CSH, and KSH as well as programming in C, PHP, and Perl. You can
reach him at acormany@yahoo.com.
15 September 2009
Also available in Chinese Russian
Administering users and groups in IBM AIX is an essential part of an administrator's duties. You can
manage users and groups in many different ways: You can maintain them through the AIX System
Management Interface Tool (SMIT), manually editing the configuration files, or by using command-line
commands. This article discusses the configuration files behind users and groups on AIX, as well as
command-line tools designed to help manage the users and groups easily.
Learn the files first, then the commands

Before going into the commands to create, modify, and maintain users and groups in AIX, it is important
that you know what is happening behind the scenes. For example, you should understand the files and what
they mean.
Look at the some of the files that affect the user itself:
/etc/passwd
/etc/security/.profile
/etc/security/limits
/etc/security/passwd
/etc/security/user
/usr/lib/security/mkuser.default
/etc/passwd
Commands in AIX
The file /etc/passwd contains the basics of a user and is probably the
best-known file to UNIX and Linux users for user administration.
Listing 1 provides an example of an /etc/passwd file.
Keep in mind that the commands and

methods in this article should be used on
AIX systems that have local users and
groups in their configuration files. Some of
the commands, such as chuserand chgroup,
should not be used if the system is handling
users and groups from a remote source (for
example, Network Information System, or
NIS).
Listing 1. Example /etc/passwd file
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:*:11:11::/var/spool/lp:/bin/false
www.ibm.com/developerworks/aix/library/au-aixuseradmin/
1/16
10/29/13
invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh
snapp:*:200:13:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
ipsec:*:201:1::/etc/ipsec:/usr/bin/ksh
nuucp:*:7:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh
esaadmin:*:10:0::/var/esa:/usr/bin/ksh
sshd:*:206:201::/var/empty:/usr/bin/ksh
atc:!:8000:400:Adam Cormany,Sr UNIX Admin:/home/atc:/bin/ksh
amdc:!:8001:401:AMDC:/home/amdc:/bin/ksh
pac:!:8002:400:PAC,Jr UNIX Admin:/home/pac:/bin/ksh
atc2:!:8003:402:ATCv2:/home/atc2:/bin/ksh
As you can see, the file is colon (:) delimited, and each entry contains seven fields in the following format
(with spaces added before and after delimiter to ease reading):
Username : Password Flag : UID : GID : GECOS : Home : Shell/Command
Here's the line-by-line breakdown:

Username. This is the login/user name associated with the account.
Password Flag. This field varies slightly in different flavors of UNIX and Linux. In AIX, the second field can
contain one of two characters, either !or *. If the !is displayed, a password has been set for the user. If
no password has been set, *appears. The passwords themselves are stored in /etc/security/passwd.
UID. The User Identifier (UID) is a numeric identifier to a user.
GID. The Group Identifier (GID) is similar to the UID but is associated with groups. The GIDs are defined
in /etc/group.
GECOS. The General Electric Comprehensive Operating System (GECOS) information is stored in the
fifth field. The user's name, phone numbers, and other generic personal information are stored here.
Home. This is the user's home directory.
Shell/Command. Typically, the seventh and final field contains the shell that is started at the user's login.
Administrators can also change this field to execute other commands instead of shells to limit access (for
example, /bin/false).
/etc/security/.profile
The file /etc/security/.profile can really save you some valuable time and ease frustration. When you create
a user using the mkusercommand, the script /usr/lib/security/mkuser.sys is executed. This script creates
the user's directory, sets the correct permissions, and "creates" the user's .profile. The mkuser.sys script
actually copies the /etc/security/.profile file into the user's new home directory.
If you are building a new system, or maybe a new division of 100 people needs accounts on a system,
make sure you make your changes to the /etc/security/.profile file before creating all the users' accounts. If
you create the accounts and then realize that you need to make a simple change in a variable or modify
another setting, you're going to have to manually make the change to everyone's profile. It could be
scripted out easily, but life would have been much simpler if you would have just changed the
/etc/security/.profile.
Listing 2 provides an example /etc/security/.profile file.
Listing 2. Example /etc/security/.profile file
PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:$HOME/bin:/usr/bin/X11:/sbin:.
export PATH
if [ -s "$MAIL" ]
then echo "$MAILMSG"
fi
# This is at Shell startup. In normal

# operation, the Shell checks
# periodically.
/etc/security/limits
The /etc/security/limits file contains all the ulimits, or users' system resource limitations. Table 1 defines
the fields in the /etc/security/limits file and their use.
2/16
10/29/13
Table 1. Fields in /etc/security/limits

Soft limit
Hard limit
fsize
fsize_hard
Description
Size of file a user can create
Size of core file a user can create
core
core_hard
cpu
cpu_hard
The amount of system time allowed
data
data_hard
stack
rss
stack_hard
rss_hard
nofiles
nofiles_hard
nproc
nproc_hard
Size of the process data segment

Size of the process stack segment
Physical memory allowed
Number of open file descriptors at one time
Number of running processes at one time
What's the difference between soft and hard limits? A soft limit is a value that a user or application can
change on the fly up to the maximum (the hard limit). The hard limit is just that -- the maximum value a
parameter can be set to. If setting the parameter to a numeric value is too difficult (for example, if a
developer has no idea how much memory his or her program is going to take or the number of files it will
need to open), you can set the parameter to -1, which translates to unlimited.
It isn't imperative that you set individual ulimits for each and every user, however. The /etc/security/limits
file contains a section called defaultthat defines a template of standard values for each user unless that
user has set custom values. If the defaultsection doesn't exist, IBM kindly set predetermined limits just in
case.
The IBM default values are:
*
*
*
*
*
*
*
*
*
Attribute
Value
==========
============
fsize_hard
set to fsize
cpu_hard
set to cpu
core_hard
-1
data_hard
-1
stack_hard
8388608
rss_hard
-1
nofiles_hard
-1
Listing 3 provides an example of a /etc/security/limits file.

Listing 3. Example /etc/security/limits file
default:
fsize = 4194303
core = 16384
cpu = -1
data = 262144
rss = 65536
stack = 65536
pac:
fsize = 131072
fsize_hard = 262144
core = 262144
Considering that user "pac" is a junior UNIX administrator, his fsizesoft value was reduced from the
defaultsection's 4,194,303 to 131,072; however, you were nice enough to allow the user to increase his
value to 262,144, if needed. Also, pac is notorious for finding ways to break his own programs. As a result,
you've increased his core ulimitto 262,144.
/etc/security/passwd
The /etc/security/passwd file contains the AIX user's password information. The file contains three fields
per user:
password. Encrypted password.
Note: If this field contains only an asterisk (*), the account is locked until a password has been set.
lastupdate. Number of seconds since epoch when the password was last updated.
flags. Restrictions to changing the user's password. You can set three different flags:
ADMIN. If set, only the root user can change the user's password.
3/16
10/29/13
ADMCHG. If set, the user is prompted to change his or her password on the next login/su.
NOCHECK. If set, any additional restrictions in /etc/security/user are ignored.
Listing 4 provides an example of a /etc/security/password file.
Listing 4. Example /etc/security/password file
amdc:
password = oBQaUkPkUryCY
lastupdate = 1243972006
flags = ADMCHG
In this example, user "amdc" has a password that was set on Tue. Jun. 2 15:46:46 EDT 2009. The next
time the user logs in or sus to amdc, he or she will be prompted to change the password.
If you're wondering how I converted the seconds from epoch to something a little more readable, I wrote a
Perl script. Here's the gist of that script:
# perl -e 'use POSIX; print strftime("%c\n", localtime(1243972006));'
Tue Jun 2 15:46:46 EDT 2009
/etc/security/user
Now you're getting into the meat of AIX user administration. The /etc/security/user file contains the most
important settings, outside of the basics in /etc/passwd, for a user. Table 2 shows some of the
parameters.
Table 2. Parameters in the /etc/security/user file
Parameter
account_locked
admin
expires
histexpire
histsize
login
maxage
minage
rlogin
su
Format
TRUE | FALSE
TRUE | FALSE
Description
Lock out the account; the user is unable to log in if set to True.
If True, the user has administrative rights.
MMDDHHYY
0-260
0-50
TRUE | FALSE
0-52
0-52
TRUE | FALSE
TRUE | FALSE
If the date has been reached, the account has expired and is locked.
Number of weeks the user can't reuse a password.
Number of passwords previously used that can't be reused.
User can log in if True.
Number of weeks a password is valid.
Number of weeks a user must wait before changing his or her password.
The account can be accessed remotely if set to True.
Others can use suto access this account if set to True.
For a full listing of all parameters, look in your AIX system under /etc/security/user, or see AIX Information
Center. Like /etc/security/limits, a defaultsection sets all the fields if not specified by the individual
account.
/usr/lib/security/mkuser.default
The /usr/lib/security/mkuser.default file contains values used when creating a new AIX user through
mkuser. Listing 5 provides an example of what the file may look like on your system.
Listing 5. Example /usr/lib/security/mkuser.default file
user:
pgrp = staff
groups = staff
shell = /usr/bin/ksh
home = /home/$USER
admin:
pgrp = system
groups = system
shell = /usr/bin/ksh
home = /home/$USER
Many more parameters can be defined in this file. To view the full list, look at man chuser, or go to IBM
Systems Information Center.
Time for some commands

Now that you are familiar with the files behind the commands, take a look at the commands themselves.
4/16
10/29/13
You'll learn how to create a user as well as modify a user after it has been created.
mkuser
The first command to know is mkuser. Without mkuser, the rest of the commands are useless. You use
this command to create the AIX user and set its initial values. There are a few simple rules to remember
when creating a user:
Users cannot start with a:
Dash or minus sign (-)
Plus sign (+)
At symbol (@)
Tilde (~)
Users cannot be named ALL or default, as those names are reserved for the operating system.
User names cannot include:
Colon (:)
Quotation markssingle or double ('or ")
Pound or hash symbol (#)
Comma (,)
Equal sign (=)
Slashesback or forward (\or /)
Question mark (?)
Back quote or tick (`)
White space (space or tab)
New-line characters
User names can only be eight characters or fewer in AIX version 5.2 and earlier. Starting with AIX version
5.3, IBM increased the maximum number of characters to 255.
To verify the setting in AIX 5.3 and later, you can extract the value from getconf:
# getconf LOGIN_NAME_MAX
9
or lsattr:
# lsattr -El sys0
SW_dist_intr
false
Enable SW distribution of interrupts
True
autorestart
true
Automatically REBOOT OS after a crash
True
boottype
disk
N/A
False
capacity_inc
1.00
Processor capacity increment
False
capped
true
Partition is capped
False
conslogin
enable
System Console Login
False
cpuguard
enable
CPU Guard
True
dedicated
true
Partition is dedicated
False
enhanced_RBAC
true
Enhanced RBAC Mode
True
ent_capacity
1.00
Entitled processor capacity
False
frequency
2656000000
System Bus Frequency
False
fullcore
true
Enable full CORE dump
True
fwversion
IBM,EL340_075
Firmware version and revision levels
False
id_to_partition 0X80000CE988400001 Partition ID
False
id_to_system
0X80000CE988400000 System ID
False
iostat
false
Continuously maintain DISK I/O history
True
keylock
normal
State of system keylock at boot time
False
log_pg_dealloc true
Log predictive memory page deallocation events
True
max_capacity
1.00
Maximum potential processor capacity
False
max_logname
9
Maximum login name length at boot time
True
maxbuf
20
Maximum number of pages in block I/O BUFFER CACHE True
maxmbuf
0
Maximum Kbytes of real memory allowed for MBUFS
True
maxpout
0
HIGH water mark for pending write I/Os per file
True
maxuproc
800
Maximum number of PROCESSES allowed per user
True
min_capacity
1.00
Minimum potential processor capacity
False
5/16
10/29/13
minpout
0
modelname
IBM,8203-E4A
ncargs
256
nfs4_acl_compat secure
pre430core
false
pre520tune
disable
realmem
3784704
rtasversion
1
sed_config
select
systemid
IBM,021082744
variable_weight 0

LOW water mark for pending write I/Os per file
Machine name
ARG/ENV list size in 4K byte blocks
NFS4 ACL Compatibility Mode
Use pre-430 style CORE dump
Pre-520 tuning compatibility mode
Amount of usable physical memory in Kbytes
Open Firmware RTAS version
Stack Execution Disable (SED) Mode
Hardware system identifier
Variable processor capacity weight
True
False
True
True
True
True
False
False
True
False
False
To change the value, simply adjust the v_max_lognameparameter (shown as max_lognamein lsattr)
using chdevto the maximum number of characters desired plus one to accommodate the terminating
character. For example, if you want to have user names that are 128 characters long, you would adjust the
v_max_lognameparameter to 129:
# chdev -l sys0 -a max_logname=129
sys0 changed
Please note that this change will not go into effect until you have rebooted the operating system. Once the
server has been rebooted, you can verify that the change has taken effect:
# getconf LOGIN_NAME_MAX
128
Keep in mind, however, that if your environment includes IBM RS/6000 servers prior to AIX version 5.3 or
operating systems that cannot handle user names longer than eight characters and you rely on NIS or other
authentication measures, it would be wise to continue with the eight-character user names.
To create a user with default settings and allocate the next available UID, simply execute mkuserplus the
user name as the root user:
# mkuser xander
# finger xander
Login name: xander
Directory: /home/xander
No Plan.
Shell: /usr/bin/ksh
Easy, isn't it? Try something a bit more personable. By adding some values found in the chuserman page
(man chuser), you can include the user's GECOS information and change his or her core ulimitto
524,288, as shown in Listing 6.
Listing 6. Change a user's core ulimit
# mkuser core=524288 gecos="Xander Cormany,317.555.1234" xander
# finger xander
Login name: xander
In real life: Xander Cormany
Site Info: 317.555.1234
Shell: /usr/bin/ksh
No Plan.
# su - xander "-c ulimit -a"
time(seconds)
unlimited
file(blocks)
unlimited
data(kbytes)
unlimited
stack(kbytes)
4194304
memory(kbytes)
unlimited
coredump(blocks)
524288
nofiles(descriptors) unlimited
threads(per process) unlimited
processes(per user) unlimited
It's worth mentioning that the GECOS, like any other field in /etc/passwd, should not include a colon (:) in
the value. By trying to add a colon, the fields will be adjusted, and all expected values would shift to the
right. For instance, if the user tried to have Xander:Cormany in the GECOS field in /etc/passwd, Xander
would actually be in the correct field, while Cormany would be the value of the field to the right (that is, the
home directory). Also, the GECOS field cannot end with !#.
Most administrators do not really use the command line like this, but it is important to understand what
utilities like SMIT (man smitor man smitty) are doing behind the scenes. If you would rather continue
through SMIT, the process is simple. Here's an example of creating the same user with the same attributes
through SMIT. By entering SMITdirectly into the user creation screen, you go in using the fastpath mkuser:
# smitty mkuser
6/16
10/29/13
Figure 1 shows the SMIT utility in action.

Figure 1. The smitty mkuser process
When you are finished filling out the user name, GECOS field, and core ulimit, click Enter to create the
user. When SMIT returns that the command finished successfully, click F10 or Esc + 0 to exit the program.
You can verify the user using the code in Listing 7.
Listing 7. Verify that SMIT correctly created the user
# finger xander
Login name: xander
Site Info: 317.555.1234
No Plan.

Shell: /usr/bin/ksh

time(seconds)
unlimited
file(blocks)
unlimited
data(kbytes)
unlimited
stack(kbytes)
4194304
memory(kbytes)
unlimited
coredump(blocks)
524288
chuser
The hard part is done now. But wait: Xander's manager, Ann, just came by and informed you that Xander's
core ulimitshould have been 1,048,576 (someone forgot to multiply by 2). No problem: Just change the
ulimitwith chuser.
The chusercommand works very much like mkuserin syntax and uses the identical attributes. Listing 8
provides an example of the chusercommand.
Listing 8. The chuser command
# chuser core=1048576 xander
time(seconds)
unlimited
7/16
10/29/13
file(blocks)
unlimited
data(kbytes)
unlimited
stack(kbytes)
4194304
memory(kbytes)
unlimited
coredump(blocks)
1048576
As always, IBM has made these commands easily accessible in SMIT using fastpaths. Logically, smitty
chusertakes you directly to the user modification screen.
chsh
There are times when you want to change your shell. The default shell in AIX is the Korn shell, or ksh. To
change the shell, execute chshwith the user's name, and then select the desired shell, as shown in Listing
9.
Listing 9. Change a user's shell
# finger xander
Login name: xander
Site Info: 317.555.1234
No Plan.

Shell: /usr/bin/ksh
# chsh xander
Current available shells:
/bin/sh
/bin/bsh
/bin/csh
/bin/ksh
/bin/tsh
/bin/ksh93
/usr/bin/sh
/usr/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/tsh
/usr/bin/ksh93
/usr/bin/rksh
/usr/bin/rksh93
/usr/sbin/uucp/uucico
/usr/sbin/sliplogin
/usr/sbin/snappd
xander's current login shell:
/usr/bin/ksh
Change (yes) or (no)? > yes
To?>/usr/bin/csh
# finger xander
Login name: xander
Site Info: 317.555.1234
No Plan.

Shell: /usr/bin/csh
chfn
The administrator who created Xander's AIX user introduced a typo into his name in the GECOS
information. To correct the mistake, you use the chfncommand. This command works much like chsh,
where the command displays the current value, asks the user whether he or she wants to change it, and
then changes the value to what was entered. Listing 10 provides an example.
Listing 10. Example chfn command
# finger xander
Login name: xander
Site Info: 317.555.1234
No Plan.
In real life: Zander Cormany

Shell: /usr/bin/ksh
# chfn xander
xander's current gecos:
"Zander Cormany,317.555.1234"
To?>Xander Cormany,317.555.1234
# finger xander
Login name: xander
Site Info: 317.555.1234
No Plan.

Shell: /usr/bin/ksh
Correcting the GECOS information may sound trivial, but it is helpful to the other administrators and users
on the system. For example, if you're trying to find Xander's account but can't remember his user name,
you could search for it through his GECOS information. Searching for his last name, which was correctly
entered into the GECOS field, would quickly show me his user name. The fingercommand will search for
all instances of the string entered in /etc/passwd's user name and real name in the first field of the GECOS
8/16
10/29/13
information:
# finger cormany
Login name: atc
Directory: /home/cormany
No Plan.
Login name: xander
Site Info: 317.555.1234
No Plan.
In real life: Adam Cormany

Shell: /bin/ksh

Shell: /usr/bin/ksh
lsuser
Gathering all the information for a user from the various user files may seem cumbersome. Fortunately, AIX
provides a command to gather the data in one fell swoop. The lsusercommand returns all the attributes
used on the user from the various administration files, which can be very helpful if you are comparing users,
wanting to generate a complete listing of all users for backup purposes, or are troubleshooting an issue
with an individual account.
To view a user's attributes, you can use the -fswitch, which displays everything in a stanza structure.
Listing 11 provides an example of this output.
Listing 11. Output from lsuser -f
# lsuser -f xander
xander:
id=214
pgrp=staff
groups=staff
home=/home/xander
shell=/usr/bin/ksh
gecos=Xander Cormany,317.555.1234
login=true
su=true
rlogin=true
daemon=true
admin=false
sugroups=ALL
admgroups=
tpath=nosak
ttys=ALL
expires=0
auth1=SYSTEM
auth2=NONE
umask=22
registry=files
SYSTEM=compat
logintimes=
loginretries=0
pwdwarntime=0
account_locked=false
minage=0
maxage=0
maxexpired=-1
minalpha=0
minother=0
mindiff=0
maxrepeats=8
minlen=0
histexpire=0
histsize=0
pwdchecks=
dictionlist=
default_roles=
fsize=-1
cpu=-1
data=-1
stack=-1
core=1048576
rss=-1
nofiles=-1
roles=
If you are comparing users, simply change the switch from -fto -cand add the users you want to
compare as a comma-delimited argument. Listing 12 provides an example of this output.
Listing 12. Output of lsuser -c
# lsuser -c xander,atc
#name:id:pgrp:groups:home:shell:gecos:login:su:rlogin:daemon:admin:
sugroups:tpath:ttys:expires:auth1:auth2:umask:registry:SYSTEM:loginretries:
pwdwarntime:account_locked:minage:maxage:maxexpired:minalpha:minother:
mindiff:maxrepeats:minlen:histexpire:histsize:fsize:cpu:data:stack:core:rss:nofiles
xander:214:staff:staff:/home/xander:/usr/bin/ksh:Xander Cormany,317.555.1234:
true:true:true:true:false:ALL:nosak:ALL:0:SYSTEM:NONE:22:files:compat:0:0:false:
0:0:-1:0:0:0:8:0:0:0:-1:-1:-1:-1:1048576:-1:-1
#name:id:pgrp:groups:home:shell:gecos:login:su:rlogin:daemon:admin:sugroups:
tpath:ttys:expires:auth1:auth2:umask:registry:SYSTEM:loginretries:pwdwarntime:
account_locked:minage:maxage:maxexpired:minalpha:minother:mindiff:maxrepeats:
minlen:histexpire:histsize:fsize:cpu:data:stack:core:rss:nofiles:time_last_login:
time_last_unsuccessful_login:tty_last_login:tty_last_unsuccessful_login:host_last_login:
host_last_unsuccessful_login:unsuccessful_login_count
cormany:215:staff:staff,support:/home/cormany:/bin/ksh:Adam Cormany:true:true:
9/16
10/29/13
true:true:false:ALL:nosak:ALL:0:SYSTEM:NONE:22:NIS:compat:0:0:false:0:0:
-1:0:0:0:8:0:0:0:-1:-1:-1:-1:-1:-1:-1:1250854405:1250522447:/dev/pts/3:/dev/pts/13:
10.20.30.40:10.20.30.41:0
That is a lot of information to look at and may be a bit overwhelming in its raw form. However, if you import
this data into a spreadsheet, it will look much cleaner. Having a delimited format is also helpful when you
are using the data in scripts to manage users.
If you are only looking for a few fieldssay, the user's shell and home directorythe lsusercommand
can do the work for you with the -aswitch. Listing 13 provides an example of this command using the fields
from the chuserman page.
Listing 13. Running lsuser -c a on a man page
# lsuser -c -a shell home xander,cormany
#name:shell:home
xander:/usr/bin/ksh:/home/xander
#name:shell:home
cormany:/bin/ksh:/home/cormany
passwd
Many think the passwdcommand only changes a user's password. Although passwddoes perform this
important function, it contains other features, as well.
The most important function of passwdis indeed changing a user's password. By following the rules set
forth in the configuration files /etc/security/user and /etc/security/passwd, a standard user can change his
or her own password or, if logged in as the root user, can change other users' passwords, as Listing 14
shows.
Listing 14. Using passwd to change a user's password
# lsuser -c -a password xander
#name:password
xander:*
# passwd xander
Changing password for "xander"
xander's New password:
Enter the new password again:
# lsuser -c -a password xander
#name:password
xander:!
The passwdcommand can also change a user's GECOS information like chfnor his or her shell/command
to execute during the login process, like chsh. Listing 15 provides an example.
Listing 15. Using passwd to change a user's information
# passwd -f xander
xander's current gecos:
"Xander Cormany,317.555.1234"
To?>Xander Cormany,317.555.7890
# passwd -s xander
Current available shells:
/bin/sh
/bin/bsh
/bin/csh
/bin/ksh
/bin/tsh
/bin/ksh93
/usr/bin/sh
/usr/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/tsh
/usr/bin/ksh93
/usr/bin/rksh
/usr/bin/rksh93
/usr/sbin/uucp/uucico
/usr/sbin/sliplogin
/usr/sbin/snappd
xander's current login shell:
/usr/bin/ksh
To?>/usr/bin/bsh
# finger xander
Login name: xander
Site Info: 317.555.7890
No Plan.

Shell: /usr/bin/bsh
pwdadm
10/16
10/29/13
The pwdadmcommand can change passwords in AIX. In addition, pwdadmcan display (excluding encrypted
passwords) or update a user's flags in /etc/security/passwd. Continuing with Xander's account as a guinea
pig, First change his password, and then view his current password attributes. Because his password was
just changed, the ADMCHGflag will be set. Change that flag to ADMIN, and restrict the account so that only
administrators can update the password going forward. Listing 16 shows the code to perform this task.
Listing 16. Change a user's flag and restrict privileges
# pwdadm xander
Changing password for "xander"
xander's New password:
Enter the new password again:
# pwdadm -q xander
xander:
flags = ADMCHG
# pwdadm -f ADMIN xander
# pwdadm -q xander
xander:
flags = ADMIN
rmuser
The time has come to remove a user from the system; Xander's account must be deleted. To do so, you
need rmuser.
To remove a user, simply execute rmuserwith the user's account name as the argument. Doing so with no
switches removes the user from the system, but the user's password information will be retained in the
/etc/security/passwd file:
# rmuser xander
To fully remove the user's password information, use the -pswitch:

# rmuser p xander
Note that rmuserdoes not remove the user's home directory. If a user has important data in his or her
home directory that should be kept, it is up to you to remove the home directories when you deem it safe.
Groups
You're familiar with a few user modification commands; now, let's talk about groups. Like user
administration, it's important that you know the configuration files behind the commands that modify them.
/etc/group
The /etc/group file contains the basics of a group. Listing 17 provides an example of the file /etc/group.
Listing 17. Example /etc/group file
system:!:0:root,pconsole,esaadmin
staff:!:1:ipsec,esaadmin,sshd,xander
bin:!:2:root,bin
sys:!:3:root,bin,sys
adm:!:4:bin,adm
uucp:!:5:uucp,nuucp
mail:!:6:
security:!:7:root
cron:!:8:root
printq:!:9:lp
audit:!:10:root
ecs:!:28:
nobody:!:4294967294:nobody,lpd
perf:!:20:
shutdown:!:21:
lp:!:11:root,lp
invscout:!:12:invscout
snapp:!:13:snapp
ipsec:!:200:
pconsole:!:14:pconsole
sshd:!:201:sshd
As you can see, the file is colon delimited like the /etc/passwd file, and each entry contains only four fields
in the following format (with spaces added before and after the delimiter to ease reading):
Group Name : Password Flag : GID : User(s)
11/16
10/29/13
Here's the line-by-line breakdown:

Group Name. The group name associated with the group.
Password Flag. This field is not used in AIX. Instead, AIX uses the /etc/security/group file for group
administrators.
GID. The GID associated with the group.
User(s). The list of users who are members of the group.
Note: This field is comma delimited.
/etc/security/group
The /etc/security/group file is much like /etc/security/user for users: It contains extended attributes to the
specified group. Table 3 provides a couple of useful settings in the configuration file.
Table 3. /etc/security/group parameters
Parameter
adms
admin
Format
user1, user2,
TRUE | FALSE
Description
Comma-delimited list of users with administrative rights to the group.
If True, the group has administrative rights to the group.
For more attributes, read the man page for /etc/security/group (man group), or visit
http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?
topic=/com.ibm.aix.files/doc/aixfiles/group.htm.
The file is broken down into stanzas like the other configuration files in /etc/security, with the group name as
the identifier. A nice feature of this file is that it allows you to set administrator rights to a standard user for
a group. The administrators of that group can then modify the group as they see fit by adding members to
or removing members from the group. Listing 18 provides an example of what an /etc/security/group looks
like. In this example, the group jradmin has adminset to False and standard users pac and xander defined
as administrators of the group.
Listing 18. Example of an /etc/security/group file
system:
admin = true
staff:
admin = false
bin:
admin = true
sys:
admin = true
jradmin:
admin = false
adms = pac,xander
A few more commands

You've read enough about the files behind the commands. Now, let's look at the commands themselves.
You'll see how to create a group as well as modify it after it has been created.
mkgroup
Creating a group in AIX is simple and straightforward. The same restrictions for creating a user pertain to
creating a group:
Groups cannot start with the:
Dash or minus sign (-).
Plus sign (+)
At symbol (@)
12/16
10/29/13
Tilde (~)
Groups cannot be named ALL or default, as these names are reserved to the operating system.
Group names cannot include:
Colon (:)
Quotation markssingle or double ('or ")
Pound or hash sign (#)
Comma (,)
Equal sign (=)
Slashesback or forward (\or /)
Question mark (?)
Back quote or tick (`)
White space (space or tab)
New-line characters
Group names can only be eight characters or less in AIX version 5.2 and earlier. Starting with AIX version
5.3, IBM increased the maximum number of characters to 255.
Both user and group name lengths are handled by the same parameter: v_max_logname. To view or
change the value, follow the instructions provided for viewing and changing the user name length in mkuser,
earlier in this article.
To create a group, simply execute the mkgroupcommand with the group name as an argument, as shown
in Listing 19.
Listing 19. Create a group with mkgroup
# mkgroup atctest
# grep atctest /etc/group
atctest:!:202:
# grep -p atctest /etc/security/group
atctest:
admin = false
To create an admin group, add the -aswitch, as shown in Listing 20.

Listing 20. Create an admin group
# mkgroup -a atcadmin
# grep atcadmin /etc/group
atcadmin:!:15:
# grep -p atcadmin /etc/security/group
atcadmin:
admin = true
To create a group and add Xander as the administrator of the group, add the admsection of the
/etc/security/group stanza to the command line, as shown in Listing 21.
Listing 21. Add a specific user as a group administrator
# mkgroup adms=xander xangroup
# grep xangroup /etc/group
xangroup:!:203:
# grep -p xangroup /etc/security/group
xangroup:
admin = false
adms = xander
Like mkuser, mkgroupfollows the same attributes as chgroup. For a full list of the attributes, read
13/16
10/29/13
chgroup's man page (man chgroup).
chgroup
The chgroupcommand works just like chuser, and its man page contains all the attributes you can change
on a group. Listing 22 provides an example of how to change the group's xangroupGID from 203 to 204.
Add a few users to the group, as well.
Listing 22. Change the group's GID and add users
xangroup:!:203:
# chgroup id=204 users=xander,atc,amdc xangroup
xangroup:!:204:xander,atc,amdc
chgrpmem
Another way to modify a group's members is with chgrpmem. The chgrpmemcommand allows you to list,
add, and remove users from a group as well as modify the administrators of the group.
For example, the group xangroup has xander and atc as members and xander as an administrator of the
group. Remove atc from the group, as shown in Listing 23.
Listing 23. Remove a user from a group
# chgrpmem xangroup
xangroup:
members = xander,atc
adms = xander
# chgrpmem -m - atc xangroup
# chgrpmem xangroup
xangroup:
members = xander
adms = xander
Suppose there was a mistake and user atc was not supposed to be removed. Instead, user atc was
supposed to become the administrator of the group, while xander's administrative rights were to be
removed. Listing 24 shows the code to make the correction.
Listing 24. Add a deleted user and change the group administrator
# chgrpmem -m + atc xangroup
# chgrpmem -a + atc xangroup
# chgrpmem -a - xander xangroup
# chgrpmem xangroup
xangroup:
members = xander,atc
adms = atc
lsgroup
With such a nice command for users as lsuser, shouldn't there be one for groups, as well? There is:
lsgroup. To continue with the standard format of commands and their options in AIX, lsgroupfollows the
same structure as lsuser.

Listing 25 provides a few examples using the same switches as in lsuserin Listing 11, Listing 12, and
Listing 13.
Listing 25. Output from the lsgroup command
# lsgroup xangroup
xangroup id=204 admin=false users=xander,cormany adms=cormany registry=files
# lsgroup -f xangroup
xangroup:
id=204
admin=false
users=xander,cormany
adms=cormany
registry=files
# lsgroup -c xangroup,atcadmin
#name:id:admin:users:adms:registry
xangroup:204:false:xander,cormany:cormany:files
#name:id:admin:registry
atcadmin:15:true:files
# lsgroup -c -a id xangroup,atcadmin
14/16
10/29/13
#name:id
xangroup:204
#name:id
atcadmin:15
rmgroup
Throughout this article, you've been creating sample groups. Now, it's time to clean up the AIX system
you're using. To remove a group from the system, simply execute rmgroupwith the group's name as the
argument:
# rmgroup atctest
The rmgroupcommand does not allow you to remove the group until you have moved all users that have
the group as their primary group to another group.
Conclusion
After reading this article, you should now have a better understanding of the configuration files for user and
group maintenance in AIX. You should also understand the command-line tools better and see how easy it
really is to create, modify, and remove users and groups. IBM really has made such maintenance simple so
that you can focus on more complicated issues.
Resources
Learn
getconf: See IBM's man page for the getconfcommand.
Dig deeper into AIX and Unix on

developerWorks
Overview
New to AIX and Unix
/etc/security/limits: See IBM's System Information Center Web page for

/etc/security/limits.
Technical library (articles and more)
/etc/security/user: See IBM's System Information Center Web page for

/etc/security/user.
Community
/usr/lib/security/mkuser.default: See IBM's System Information Center Web

page for /usr/lib/security/mkuser.default.
Open source projects
chuser: See IBM's System Information Center Web page for the chuser
command.
/etc/group: See IBM's System Information Center Web page for /etc/group.
/etc/security/group: See IBM's System Information Center Web page for
/etc/security/group.
The AIX and UNIX developerWorks zone provides a wealth of information
relating to all aspects of AIX systems administration and expanding your
UNIX skills.
Forums
Downloads and products
Events
developerWorks Labs
Experiment with new directions in
software development.
JazzHub
Everything you need to build great
software. Click. Code. Create.
IBM evaluation software

Download software trials;
experiment in a sandbox or in the
cloud.
New to AIX and UNIX? Visit the New to AIX and UNIX page to learn more.
Browse the technology bookstore for books on this and other technical
topics.
Discuss
Check out developerWorks blogs and get involved in the developerWorks
community.
Participate in the AIX and UNIX forums:
AIX Forum
AIX Forum for developers
Cluster Systems Management
IBM Support Assistant Forum
Performance Tools Forum
15/16
10/29/13
Virtualization Forum
More AIX and UNIX Forums
16/16

AIX User and Group Administration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AIX User and Group Administration

Uploaded by

Copyright:

Available Formats

10/29/13

AIX user and group administration

AIX and UNIX

AIX user and group administration

Learn the files first, then the commands

Keep in mind that the commands and

Listing 1. Example /etc/passwd file

AIX user and group administration

Here's the line-by-line breakdown:

# This is at Shell startup. In normal

AIX user and group administration

Table 1. Fields in /etc/security/limits

The amount of system time allowed

Size of the process data segment

Listing 3 provides an example of a /etc/security/limits file.

AIX user and group administration

Time for some commands

AIX user and group administration

AIX user and group administration

AIX user and group administration

Figure 1 shows the SMIT utility in action.

In real life: Xander Cormany

# su - xander "-c ulimit -a"

AIX user and group administration

In real life: Xander Cormany

In real life: Xander Cormany

In real life: Zander Cormany

In real life: Xander Cormany

AIX user and group administration

In real life: Adam Cormany

In real life: Xander Cormany

AIX user and group administration

In real life: Xander Cormany

AIX user and group administration

To fully remove the user's password information, use the -pswitch:

AIX user and group administration

Here's the line-by-line breakdown:

A few more commands

AIX user and group administration

To create an admin group, add the -aswitch, as shown in Listing 20.

AIX user and group administration

chgroup's man page (man chgroup).

same structure as lsuser.

AIX user and group administration

Dig deeper into AIX and Unix on

/etc/security/limits: See IBM's System Information Center Web page for

Technical library (articles and more)

/etc/security/user: See IBM's System Information Center Web page for

/usr/lib/security/mkuser.default: See IBM's System Information Center Web

Open source projects

Downloads and products

IBM evaluation software

AIX user and group administration

You might also like