How to Lock (Disable) User Account in Linux

Linux systems allow you to lock or disable access to a particular user account without changing anything from the account. This might be useful if you do not want to remove user account permanently but, you just want it disabled and no longer able to use the system.

The disabled user will still receive emails for example, but he will not be able to login and check them out. Linux distributions use /etc/shadow file to store the encrypted user passwords. A user account can be temporarily disabled or permanently removed.

1) Lock (disable) user account

You can disable or lock a user account temporarily by just putting an asterisk "*" at the beginning of the second field in the file /etc/shadow. This means that "*" won’t permit login for this account. Whenever you want to enable the account, just erase the asterisk and the user account is back in operation with its old password.

For example, you want to lock a user named “Tom” then you can do this as follows:

# vi /etc/shadow
Tom:*$1$narMEFm6$fhA1puOU422HiSL5aggLI/:11193:0:99999:7:-1:-1:134539228

Here, the second field is the encrypted password.

You can replace the password with “*” or “!”. This will render user account inaccessible and it will mean that no login is permitted for the user.

# vi /etc/shadow
Tom:*:13852:0:99999:7:::

However, the main disadvantage of this method is that the password will be lost in the case we will want to re-enable it again later.

2) Using passwd command

Passwd command can be used to lock or disable the user account.

# passwd Tom –l
Output
“Password changed.”
Above command changes the shadow file and adds “!” in front of the user password:
Tom:!$1$eFd7EIOg$EeCk6XgKktWSUgi2pGUpk.:13852:0:99999:7:::

Now in case, if you want enable the account just unlock it using –u option as follows:

# passwd Tom -u

You can also enable account by removing manually the “!” character from the user’s password line in /etc/shadow.

3) Permanently remove user account

You can permanently remove the user; just run userdel command.

# userdel Tom
or
# userdel -r Tom

Make sure to check home of the user before running this command.

Read Also:

Leave a Comment