This post was originally published on go2linux.org on February 11, 2009. The domain is no longer mine, but I am the original author. I am republishing it here on garron.me with corrections and improvements.
Introduction
In Linux, groups control what resources a user can access. When you add a user to the sudo group they gain administrative privileges; add them to docker and they can run containers without root; add them to www-data and they can write to web server directories.
Every user has one primary group (set at account creation) and zero or more supplementary groups. Most day-to-day group management involves supplementary groups.
Check current group membership
Before making changes, see what groups a user already belongs to:
groups username
Or get more detail including UID and GID:
id username
To list all members of a specific group:
getent group groupname
Add an existing user to a group
Use usermod with the -a (append) and -G (supplementary groups) flags:
sudo usermod -a -G groupname username
Critical: always include
-a. Without it,usermod -G groupname usernamereplaces the user's entire supplementary group list with justgroupname— removing them from every other group they belonged to. This is the most common and damaging mistake in Linux user management.
Example — add user alice to the docker group:
sudo usermod -a -G docker alice
Add a user to multiple groups at once
Separate group names with commas, no spaces:
sudo usermod -a -G group1,group2,group3 username
Example:
sudo usermod -a -G docker,www-data,developers alice
Create a new user and add to a group
Use useradd with -G for supplementary groups:
sudo useradd -G groupname newuser
sudo passwd newuser
To add to multiple groups at creation:
sudo useradd -G docker,developers newuser
Change a user's primary group
Use lowercase -g (not uppercase -G) to set the primary group:
sudo usermod -g groupname username
| Flag | Effect |
|---|---|
| -G (uppercase) | Sets or appends supplementary groups |
| -g (lowercase) | Changes the primary group |
Remove a user from a group
Use gpasswd with the -d flag:
sudo gpasswd -d username groupname
gpasswd is also a safe alternative for adding a single user to a group, since it can only affect one group at a time and carries no risk of accidentally clearing other memberships:
sudo gpasswd -a username groupname
Verify the change
After modifying group membership, confirm with:
groups username
id username
getent group groupname
Important: group changes do not take effect in the user's current session. The user must log out and log back in (or start a new shell with newgrp groupname) for the new groups to be active.
Common system groups
| Group | Grants access to |
|---|---|
| sudo / wheel | Run commands as root with sudo |
| docker | Manage Docker containers without sudo |
| www-data | Write to web server directories (Apache/Nginx) |
| adm | Read system log files in /var/log |
| audio | Sound devices |
| video | Video devices and GPU access |
| plugdev | Mount removable devices |
| lpadmin | Manage printers |
usermod vs useradd vs gpasswd
| Command | Use for |
|---|---|
| usermod -a -G | Adding an existing user to one or more groups |
| useradd -G | Setting groups when creating a new user |
| gpasswd -a | Adding to a single group (no risk of clearing other groups) |
| gpasswd -d | Removing a user from a group |