You are setting up a new workstation or cleaning up a server
You are adding a developer to a Fedora workstation, or you are removing an old account from a server after someone leaves. You run useradd and the account appears, but the user complains they cannot log in. Or you run userdel to remove an account and realize you just deleted the only copy of their project files. User management on Fedora is straightforward, but the defaults hide a few traps. Get the flags right, and the account works. Miss one, and you spend an hour debugging permissions or recovering orphaned data.
How user accounts work on Fedora
Linux treats user accounts as entries in text files, not as objects in a database. The system reads /etc/passwd to map usernames to numeric IDs. It reads /etc/shadow for encrypted passwords and aging policies. It reads /etc/group for group memberships. When you create a user, you are writing lines to these files and creating a directory structure. When you delete a user, you are removing those lines.
The files are plain text. You can edit them with a text editor, but you should not. Use the tools. The tools update the files atomically and handle SELinux contexts automatically. Manual edits drift. Snapshots stay. Fedora also uses /etc/skel to populate new home directories. When you create a user with a home directory, the system copies the contents of /etc/skel into the new folder. This is where you place default dotfiles for all new users.
Run id to check a user's status. It is faster than grepping /etc/passwd and shows the effective groups in one line. Most sysadmins type id username muscle-memory style before making changes.
Create a standard user
Here is how to create a standard user with a home directory and a login shell.
sudo useradd -m -s /bin/bash -c "Jane Developer" jdev
# -m creates the home directory at /home/jdev and copies /etc/skel
# -s sets the login shell to bash so the user can interact with the terminal
# -c adds a comment field for the full name, visible in 'getent passwd'
sudo passwd jdev
# passwd prompts for the password securely and updates /etc/shadow
# useradd does not set a password by default, so the account is locked until this runs
The useradd command does not create a home directory by default. If you omit -m, the user logs in to their root directory or fails entirely. Always include -m for interactive users. The -s flag sets the shell. Fedora provides /bin/bash for interactive use and /usr/sbin/nologin for service accounts. If you set the wrong shell, the user cannot log in.
Grant administrative access
Here is how to grant the user administrative privileges by adding them to the wheel group.
sudo usermod -aG wheel jdev
# -a appends the user to the group without removing existing memberships
# -G specifies the supplementary group list
# wheel is the default group for sudo access on Fedora
Fedora Workstation disables direct root login. Users manage the system via sudo. The sudo configuration grants access to members of the wheel group. If you add a user to wheel, they can run commands as root after entering their own password.
Always use -aG. Without -a, usermod replaces the group list. You will strip the user from their primary groups and lock them out of their own files. Wiping groups is a silent failure that breaks access immediately.
Create service accounts
Here is how to create a service account that cannot log in.
sudo useradd -r -s /usr/sbin/nologin appuser
# -r creates a system user with a UID below 1000
# -s sets the shell to nologin, preventing interactive login
# Service accounts should never have a password or a home directory
Service accounts run daemons or scripts. They do not need a home directory or a login shell. The -r flag creates a system user with a UID in the reserved range. Fedora assigns UIDs below 1000 to system accounts and 1000 and above to interactive users. This separation helps security policies distinguish between human users and system processes.
Delete a user safely
Here is how to remove a user and their home directory.
sudo userdel -r jdev
# -r removes the home directory and mail spool along with the account
# Without -r, the home directory remains as an orphaned folder owned by a missing UID
By default, userdel leaves the home directory intact. This is useful if you need to archive the data before deletion. If you want to remove everything, use -r. The command fails if the user is currently logged in. Check for active sessions first.
Here is how to check for active sessions before deletion.
who | grep jdev
# Lists active sessions for the user
sudo pkill -u jdev
# Terminates all processes owned by the user if they refuse to log out
Check who before userdel. Deleting a logged-in user leaves zombie processes and open file handles. If the user owns files outside their home directory, transfer ownership before deletion.
sudo find /var/www -user jdev -exec chown newuser:newuser {} \;
# Finds files owned by jdev in a specific path and transfers ownership
# Run this before userdel to prevent permission errors for shared resources
Verify the account
Run id jdev to see the UID, GID, and group list. Run ls -ld /home/jdev to check permissions. If the output matches expectations, the account is ready. If id returns no such user, the creation failed. Check the error message. It usually points to a duplicate UID or a missing directory.
If the user cannot log in, check the shell in /etc/passwd. Check the SELinux context on the home directory. Fedora enforces SELinux by default. useradd sets the context correctly. If you create a directory manually, the context is wrong. The user cannot read their own files. Run restorecon -Rv /home/jdev to fix the context. restorecon reads the policy and applies the correct label. It is safer than chcon because it survives a policy update.
Run id first. Read the output before assuming the account works.
Common pitfalls
The usermod command replaces the group list unless you use -a. Running sudo usermod -G wheel jdev removes the user from all other groups. The user loses access to shared folders. Always use -aG.
The useradd command does not create a home directory by default. If you omit -m, the user logs in to their root directory or fails entirely. Always include -m for interactive users.
SELinux contexts matter. useradd sets the context correctly. If you create a directory manually, the context is wrong. The user cannot read their own files. Run restorecon -Rv /home/jdev to fix the context. Trust restorecon. Manual context edits drift when the policy updates.
Password aging is controlled by /etc/shadow. The chage command manages expiration. If a user complains their password expired immediately, check the aging fields. Fedora defaults vary by release. Run chage -l username to inspect the policy.
Choose the right tool
Use useradd when you need a low-level command that works identically across all Linux distributions.
Use adduser when you want a Perl wrapper that prompts for a password and full name interactively.
Use usermod when you need to change an existing user's shell, home directory, or group memberships.
Use userdel when you are removing an account and want to control whether the home directory persists.
Use system-users when you are managing service accounts that do not require a login shell or home directory.
Use authselect when you are integrating with external identity providers like LDAP or Active Directory.
Where to go next
Secure the account with keys. How to Configure SSH Key-Based Authentication on Fedora
Fix permission errors. How to Fix "User Is Not in the Sudoers File" Error on Fedora