This article introduces practical methods for querying user information in Linux systems, focusing on command-line tools for obtaining user account details, login information, and user activity status. To create a new user, you can use the <span>useradd</span> command; to modify existing user attributes, you need to call the <span>usermod</span> command via the command line.
The command directory index table is as follows:
| Index | Command Name | Function Description |
|---|---|---|
| 1 | id | Displays user and group IDs |
| 2 | groups | View user group memberships |
| 3 | finger | Displays user information |
| 4 | getent | Extract user information from system databases |
| 5 | grep | File pattern matching search |
| 6 | lslogins | Displays Linux user information |
| 7 | users | Lists currently logged-in users |
| 8 | who | Displays current logged-in user information |
| 9 | w | Shows logged-in user activity status |
| 10 | last | Displays recent login sessions |
| 11 | lastb | View failed login attempts |
| 12 | lastlog | Lists user login information |
Below are the details:
1. id command – Displays user and group IDs
<span>id</span> is a concise command-line tool used to display the real ID (UID), effective ID, and group ID (GID) of the current user or a specified user.
[admin@FileServer2021 ~]$ id admin
uid=1002(admin) gid=1002(admin) groups=1002(admin),10(wheel)
[admin@FileServer2021 ~]$
2. groups command – View user group memberships
<span>groups</span> command is used to display the group memberships of a user, listing all groups the user belongs to (including primary and supplementary groups).
[admin@FileServer2021 ~]$ groups admin
admin : admin wheel
[admin@FileServer2021 ~]$
3. finger command – Displays user information
<span>finger</span> command can query detailed information about Linux users, including login name, real name, terminal device, idle time, login time, and other key data.
<span>finger</span> command is not pre-installed on many Linux distributions and needs to be installed using the default package manager as follows:
$ sudo apt install finger [Debian/Ubuntu/Mint systems]
$ sudo yum install finger [RHEL/CentOS/Fedora/Rocky/AlmaLinux]
$ sudo emerge -a sys-apps/finger [Gentoo Linux]
$ sudo apk add finger [Alpine Linux]
$ sudo pacman -S finger [Arch Linux]
$ sudo zypper install finger [OpenSUSE]
Execution example:
[admin@FileServer2021 ~]$ finger admin
Login: admin Name: admin
Directory: /home/admin Shell: /bin/bash
On since Tue May 6 09:17 (CST) on pts/0 from 1*3.183.1*8.101
2 seconds idle
No mail.
No Plan.
admin@FileServer2021 ~]$
Note:
<span>finger</span>may be considered an outdated tool in some modern Linux distributions and has been replaced by other tools such as<span>whois</span>or more modern alternatives (like using LDAP queries). In some cases, other commands (such as<span>who</span>,<span>w</span>, or<span>last</span>) may be needed to obtain user information.
4. getent command – Extract user information from system databases
<span>getent</span> command is used to retrieve information from various databases (including system user and group databases). It can be used to retrieve information about users, groups, hosts, networks, protocols, and other system entities stored in database files (such as <span>/etc/passwd</span>, <span>/etc/group</span>, <span>/etc/hosts</span>, etc.).
The syntax for querying user account details is as follows:
[admin@FileServer2021 ~]$ getent passwd admin
admin:x:1002:1002::/home/admin:/bin/bash
[admin@FileServer2021 ~]$ getent group admin
admin:x:1002:
[admin@FileServer2021 ~]$
5. grep command – File pattern matching search
<span>grep</span> (Global Regular Expression Print) is a powerful text search tool that can be used to retrieve specific users from <span>/etc/passwd</span> as follows:
[admin@FileServer2021 ~]$ grep -i admin /etc/passwd
bdhadmin:x:1001:1001::/home/bndhadmin:/sbin/nologin
admin:x:1002:1002::/home/admin:/bin/bash
[admin@FileServer2021 ~]$
6. lslogins command – Displays Linux user information
This command displays detailed information about known users in the system, including UID, GID, home directory, shell type, last login time, etc., depending on the options used and system configuration.
[admin@FileServer2021 ~]$ lslogins -u admin
Username: admin
UID: 1002
Gecos field:
Home directory: /home/admin
Shell: /bin/bash
Cannot login: no
Primary group: admin
GID: 1002
Supplementary groups: wheel
Supplementary group ID: 10
Last login: 08:35
Last terminal: pts/1
Last hostname: 191.129.11.24
Silent: no
Running processes: 5
Last logs:
09:14 sudo[119919]: admin : TTY=pts/1 ; PWD=/data/mysoft ; USER=root ; COMMAND=/bin/yum install finger
09:14 sudo[119919]: pam_unix(sudo:session): session opened for user root(uid=0) by admin(uid=1002)
09:14 sudo[119919]: pam_unix(sudo:session): session closed for user root
[admin@FileServer2021 ~]$ lslogins -u
UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
0 root 196 08:35 root
1001 bdhadmin 0
1002 admin 5 08:35
[admin@FileServer2021 ~]$
7. users command – Lists currently logged-in users
This command simply displays the list of currently logged-in users on the system:
[admin@FileServer2021 ~]$ users
admin
[admin@FileServer2021 ~]$
8. who command – Displays current logged-in user information
<span>who</span> command provides detailed information about logged-in users, including username, terminal device, login time, and originating host:
[admin@FileServer2021 ~]$ who
admin pts/1 2025-05-06 08:35 (191.129.11.24)
[admin@FileServer2021 ~]$ who -u
admin pts/1 2025-05-06 08:35 . 15816 (191.129.11.24)
[admin@FileServer2021 ~]$
9. w command – Shows logged-in user activity status
<span>w</span> command provides a comprehensive summary of logged-in user activity, including session information, CPU time usage, and current processes:
[admin@FileServer2021 ~]$ w
09:41:53 up 10 days, 17:29, 1 user, load average: 0.01, 0.01, 0.03
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
admin pts/1 08:35 0.00s 0.08s 0.00s w
[admin@FileServer2021 ~]$
10. last command – Displays recent login sessions
This command lists historical login records, including user login times, terminal devices, and originating IP:
[admin@FileServer2021 ~]$ last
admin pts/1 191.129.11.24 Tue May 6 08:35 still logged in
root pts/0 191.129.11.24 Tue May 6 08:35 - 09:38 (01:02)
root pts/0 191.129.11.24 Sun Apr 27 17:26 - 17:30 (00:03)
root pts/0 191.129.11.24 Sat Apr 26 09:44 - 17:18 (07:34)
reboot system boot 5.14.0-503.14.1. Fri Apr 25 16:12 still running
root pts/2 191.129.11.24 Fri Apr 25 14:13 - 16:11 (01:57)
root pts/1 191.129.11.24 Fri Apr 25 10:32 - 16:11 (05:39)
root tty2 tty2 Fri Apr 25 10:26 - down (05:44)
root seat0 login screen Fri Apr 25 10:26 - down (05:44)
reboot system boot 5.14.0-503.14.1. Fri Apr 25 10:03 - 16:11 (06:08)
root pts/1 191.129.11.24 Fri Apr 25 09:45 - 10:02 (00:16)
root tty2 tty2 Thu Apr 24 13:45 - down (20:16)
root seat0 login screen Thu Apr 24 13:45 - down (20:16)
reboot system boot 5.14.0-503.14.1. Thu Apr 24 13:42 - 10:02 (20:19)
wtmp begins Thu Apr 24 13:42:23 2025
[admin@FileServer2021 ~]$
View online users at a specific point in time:
[admin@FileServer2021 ~]$ last -ap now
admin pts/1 Tue May 6 08:35 still logged in 191.129.11.24
reboot system boot Fri Apr 25 16:12 still running 5.14.0-503.14.1.el9_5.x86_64
wtmp begins Thu Apr 24 13:42:23 2025
[admin@FileServer2021 ~]$
11. lastb command – View failed login attempts
This command reads the <span>/var/log/btmp</span> log and displays the most recent failed login records:
[admin@FileServer2021 ~]$ sudo lastb
moonrong ssh:notty 191.129.11.24 Tue May 6 09:48 - 09:48 (00:00)
moonrong ssh:notty 191.129.11.24 Tue May 6 09:48 - 09:48 (00:00)
moonrong ssh:notty 191.129.11.24 Tue May 6 09:48 - 09:48 (00:00)
btmp begins Tue May 6 09:48:21 2025
[admin@FileServer2021 ~]$
12. lastlog command – Lists user login information
This command displays the last login time and location for all users/specified users. Execute <span>lastlog</span> or <span>lastlog -u username</span>:
[admin@FileServer2021 ~]$ lastlog
Username Port From Latest
root pts/0 191.129.11.24 Tue May 6 08:35:29 +0800 2025
daemon **Never logged in**
ftp **Never logged in**
dbus **Never logged in**
polkitd **Never logged in**
sssd **Never logged in**
colord **Never logged in**
clevis **Never logged in**
setroubleshoot **Never logged in**
gdm tty1 Fri Apr 25 16:12:22 +0800 2025
stapunpriv **Never logged in**
gnome-initial-setup **Never logged in**
pesign **Never logged in**
chrony **Never logged in**
sshd **Never logged in**
dnsmasq **Never logged in**
tcpdump **Never logged in**
bdhadmin **Never logged in**
admin pts/1 191.129.11.24 Tue May 6 08:35:55 +0800 2025
==========================================
[admin@FileServer2021 ~]$ lastlog -u admin
Username Port From Latest
admin pts/1 191.129.11.24 Tue May 6 08:35:55 +0800 2025
[admin@FileServer2021 ~]$
# Summary of this article
The above introduced 12 Linux commands for querying user account information, login records, and system activity monitoring. These commands can help administrators efficiently manage user permissions, troubleshoot security issues, and monitor system access.
1) Core Function Classification
| Category | Related Commands | Main Uses |
|---|---|---|
| User Identity Query | <span>id</span>, <span>groups</span>, <span>finger</span>, <span>getent</span>, <span>grep</span>, <span>lslogins</span> |
View UID/GID, user groups, account details |
| Logged-in User Monitoring | <span>users</span>, <span>who</span>, <span>w</span> |
Display current active sessions |
| Login History Analysis | <span>last</span>, <span>lastb</span>, <span>lastlog</span> |
Audit login records, failed attempts |
2) Key Command Comparisons
| Command | Advantages | Typical Use Cases |
|---|---|---|
<span>id</span> |
Quickly obtain UID/GID | Permission verification, script writing |
<span>getent</span> |
Supports multi-database queries (users, groups, hosts, etc.) | Cross-system user management |
<span>w</span> |
Displays user activity + system load | Real-time server monitoring |
<span>lastb</span> |
Records failed login attempts | Security auditing, intrusion detection |
<span>lastlog</span> |
Summarizes the last login time of all users | Cleaning up idle accounts |
3) Best Practice Recommendations
- Daily Management: Prioritize using
<span>id</span>,<span>groups</span>,<span>w</span>to quickly obtain basic information. - Security Auditing: Combine
<span>last</span>and<span>lastb</span>to regularly check for abnormal login behavior. - Compatibility: If
<span>finger</span>is unavailable (e.g., Rocky Linux), use<span>getent passwd</span>+<span>grep</span>as a substitute. - Script Automation:
<span>getent</span>and<span>grep</span>are more suitable for embedding in scripts due to their standardized output format.
Mastering these commands will enable efficient management of Linux users, troubleshooting login issues, and enhancing system security.
