How to add a user to a group in Linux

Group access often changes when a user joins a team, needs a shared project directory, or should use a service-owned resource without becoming that resource's owner. Adding the account to an existing supplementary group grants that extra access while leaving the user's primary group and default file ownership unchanged.

Linux resolves users and groups through the configured account databases, so getent checks the same lookup path that many local tools and services use. The usermod command updates local account records, and --append with --groups adds a supplementary membership without replacing the rest of the user's group list.

The user and group should already exist on the local system before changing membership. Create the group first when the target group is missing, and update the identity provider instead when the account is managed by LDAP, Active Directory, or another central directory. Existing shells and long-running services keep their old group credentials until the user signs in again or the affected service restarts.

Related: How to create a user in Linux
Related: How to create a group in Linux
Related: How to remove a user from a group in Linux

Steps to add a Linux user to a supplementary group:

  1. Confirm that the target user resolves on the system. 
    $ getent passwd audituser
audituser:x:1001:1001:Audit User:/home/audituser:/bin/bash

    Replace audituser with the login that needs the extra group membership.

  2. Confirm that the target group resolves on the system. 
    $ getent group finance
finance:x:1002:

    The group must exist before usermod can add the user to it.

  3. Add the user to the supplementary group without replacing existing memberships. 
    $ sudo usermod --append --groups finance audituser

    Do not omit --append when using --groups for this task. Without it, usermod replaces the supplementary group list with only the groups named in the command.

  4. Verify the user's full group list by ID and name. 
    $ id audituser
uid=1001(audituser) gid=1001(audituser) groups=1001(audituser),1002(finance)
  5. Check the group names in the shorter membership format. 
    $ groups audituser
audituser : audituser finance
  6. Start a new login shell for the target account to confirm the membership available to new sessions. 
    $ sudo -iu audituser id -nG
audituser finance

    If the user already has an open desktop, terminal, SSH session, or service process, reopen that session or restart the service before testing access that depends on the new group.