How to lock a user account in Linux

Locking a local user account on Linux is a controlled way to suspend access during offboarding, incident response, or a short administrative hold without deleting the account's files or group memberships.

Local account access is governed by the password hash and expiry fields stored in /etc/shadow. A password lock created with passwd –lock blocks password authentication, while an expired account set with usermod –expiredate closes other interactive login paths that can still work with a valid token, such as SSH public-key authentication.

The commands below were verified on Ubuntu 24.04 and apply to current Linux distributions that use local shadow-managed accounts. Root privileges are required, active sessions stay running until they are ended separately, and accounts managed by LDAP, Active Directory, or SSSD must be disabled in the upstream identity source instead of only changing the local account metadata.

Related: How to unlock a user account in Linux
Related: How to automatically lock accounts after multiple failed login attempts in Linux

Steps to lock a user account with passwd and usermod in Linux:

  1. Open a terminal on the Linux system with an account that can use sudo. 
    $ whoami
user
  2. Check the current password status for the account before changing it. 
    $ sudo passwd --status audituser
audituser P 2026-04-14 0 99999 7 -1

    Replace audituser with the actual account name. A usable password commonly shows as P or PS, while a locked password shows as L or LK depending on the distribution.

  3. Lock the account password so password-based logins stop working. 
    $ sudo passwd --lock audituser
passwd: password changed.

    passwd –lock adds a leading ! to the stored password hash in /etc/shadow, which makes password authentication invalid without deleting the existing hash.

  4. Expire the account immediately so other interactive login methods are blocked as well. 
    $ sudo usermod --expiredate 1970-01-02 audituser

    Expiring the account can interrupt scheduled jobs or service processes that still rely on that login, so confirm the target is not used for automation before applying it.

  5. Verify that the password state is now locked. 
    $ sudo passwd --status audituser
audituser L 2026-04-14 0 99999 7 -1

    The important state change is the locked status code, which appears as L or LK depending on the distribution.

  6. Verify that the account expiry now prevents interactive access. 
    $ sudo chage --list --iso8601 audituser
Last password change					: 2026-04-14
Password expires					: never
Password inactive					: never
Account expires						: 1970-01-02
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

    An expiration date in the past confirms the account is administratively disabled for normal login paths.

    Locking or expiring the account does not terminate shells or background processes that are already running.

    Related: How to force logout a user in Linux