TechEarl

How to Add a User to a Group on Linux (usermod -aG)

Add a user to a group with usermod -aG without wiping their existing groups, why the -a matters, and how to confirm membership took effect.

Ishan Karunaratne⏱️ 3 min readUpdated
Share thisCopied
Add a user to a Linux group with usermod -aG without dropping their existing groups, and why the -a append flag matters.

Adding a user to a group is a root task and one command. The flags matter more than the command does:

bash
sudo usermod -aG developers deploy
Root terminal running usermod -aG developers deploy, then groups deploy showing the deploy user now belongs to both its own group and developers.
-aG appends developers to the user's groups. groups deploy confirms the new membership.

Never drop the -a

This is the single most important thing on this page. -G sets the user's secondary groups to exactly the list you give. -a makes it append instead of replace.

bash
sudo usermod -aG developers deploy     # CORRECT: adds developers, keeps the rest
sudo usermod -G developers deploy       # DANGER: developers is now their ONLY secondary group

Run the second form and you have just removed deploy from sudo, docker, and every other group it was in. People lock themselves out of sudo this way constantly. Always -aG, never bare -G, unless you genuinely intend to replace the whole list.

Verify it, and know about the login catch

bash
groups deploy        # what the system says deploy is in
id deploy            # same, with UIDs/GIDs

The catch: group membership is read at login. A user already logged in does not gain the new group in their current session. They must log out and back in. To pick it up without logging out, start a new shell with the group active:

bash
newgrp developers

For your own session you may also need a fresh login for things like Docker socket access to work.

The gpasswd alternative

gpasswd operates from the group's side and is handy in scripts:

bash
sudo gpasswd -a deploy developers      # add deploy to developers
sudo gpasswd -d deploy developers      # remove deploy from developers

gpasswd -a is equivalent to usermod -aG for a single group, and gpasswd -d is the clean way to remove someone from a group, which usermod cannot do directly.

FAQ

See also

Sources

Authoritative references this article was fact-checked against.

TagsLinuxusermodGroupsUser ManagementSystem Administration

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Tech Architect · Software Engineer · AI/DevOps

Tech architect and software engineer with 20+ years building software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Currently Chief Technology Officer at a healthcare tech startup, which is where most of these field notes come from.

More by IshanLinkedIn
Keep reading

Related posts

Linux

How to List Users and Groups on Linux

List every user and group from /etc/passwd and /etc/group with getent, tell human accounts from system ones by UID, and see which groups a user belongs to.