On Linux systems, group membership determines access to files, devices, and shared resources. Removing an account from one or more groups reduces exposure when responsibilities change or when temporary access is no longer required. Minimising memberships supports least-privilege security and simplifies permission troubleshooting.
User and group relationships are stored in the /etc/passwd and /etc/group databases, with each account tied to a single primary group and zero or more supplementary groups. Utilities such as getent, groups, and id query these records to show current memberships. Administrative tools like usermod and gpasswd update group assignments safely without direct editing of the underlying files.
Membership changes can remove important privileges or break access to shared directories if critical groups are dropped. Removing an account from high-privilege groups such as sudo or wheel can eliminate administrative access, so a separate recovery account or console path is recommended before making changes. Group changes typically apply to new logins or sessions, so existing shells may need to be closed and reopened to reflect the updated memberships.
Steps to remove a user from a group in Linux:
- Open a terminal with sudo privileges.
$ whoami shakir
- List user accounts to confirm the target username.
$ getent passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin ##### snipped ##### user:x:1000:1000:user,,,:/home/user:/bin/bash shakir:x:1001:1000:shakir,,,:/home/shakir:/bin/bash
Regular login accounts usually appear toward the end of the listing.
- Show the current groups for the account that needs adjustment.
$ groups shakir shakir : user sudo finance
The first entry after the username is the primary group and the remaining entries are supplementary groups.
- Change the primary group if the account should use a different main group.
$ sudo usermod -g finance shakir
The group finance must exist in /etc/group before assigning it as a primary group.
- Remove the account from a supplementary group that should no longer grant access.
$ sudo gpasswd -d shakir sudo Removing user shakir from group sudo
Dropping an account from privileged groups such as sudo or wheel removes administrative rights for that user and can block local elevation if no other admin account exists.
usermod with the -G option can redefine the entire supplementary group list when many groups must be removed at once.
- Verify the updated group memberships for the account.
$ groups shakir shakir : finance user
Opening a new shell or logging in again ensures that all processes for the account use the updated group set.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
Comment anonymously. Login not required.