Mastering User & Group Management with Ansible : A Practical Guide for RHCE Aspirants

Published On: 1 July 2025

Objective

If you've been working in Linux system administration, you've likely spent time creating users, managing groups, setting permissions, and configuring environments. These tasks are fundamental — especially for those preparing for the Red Hat Certified Engineer (RHCE) exam. But what if you could make these repetitive tasks faster, more consistent, and scalable?

This blog explores how Ansible — a powerful automation tool — can transform the way RHCE candidates manage users and groups. Whether you're managing a lab or production servers, automation reduces errors and boosts efficiency, helping you practice smarter and prepare better for EX200.

What You’ll Learn :

  • Help RHCE candidates and Linux admins simplify and scale user/group management using Ansible.

  • Share practical Ansible playbooks for creating, modifying, and deleting users and groups.

  • Showcase real-world use cases and best practices that go beyond manual administration.

  • Encourage incorporating automation into RHCE lab practice to build consistency, reliability, and real-world readiness — even though Ansible isn’t directly tested in EX200.

What is Ansible ?

Ansible is a simple, agentless automation tool that uses YAML-based playbooks to describe the desired state of your systems. It works over SSH and doesn’t require a special agent on the managed nodes. It’s a huge plus for most system administrators.

To get started, you need:

  • A control node (your main admin machine)

  • One or more managed nodes (target systems)

  • SSH access and sudo privileges

Once you’ve got that set up, automating user and group management is just a matter of writing and running the right playbooks.

To know more about ansible read our blog Ansible for Beginners

Why Automate User and Group Management?

Manual user management is fine when you're dealing with one or two systems. But as soon as your environment scales, manually creating accounts, assigning them to groups, and setting permissions becomes tedious and error-prone.

Here are a few pain points you may recognize:

  • Forgetting to add users to specific groups

  • Setting inconsistent password policies

  • Creating users with different home directory structures

  • Having no reproducible record of user management changes

With Ansible, these challenges are solved through automation that is repeatable, scalable, and error-resistant. This not only saves time but ensures a uniform configuration across all systems — a must-have for RHCE candidates working with multiple lab nodes or production-like setups.

So, how do we start applying this in practice? Let’s begin by automating one of the most fundamental tasks: creating user groups.

Example 1: Automating Group Creation with Ansible

Let’s say you need to create standard groups like dev, qa, and ops across multiple systems. Instead of logging into each server manually, you can define the groups once in an Ansible playbook and push it to all nodes:
Here’s a sample playbook:


---
- name: Create standard groups         # Descriptive name for the play (not a command, just a label)
  hosts: all             # Target all hosts defined in your inventory file
  become: true              # Run tasks with elevated (sudo) privileges
  tasks:               # Start defining a list of tasks
    - name: Ensure groups exist       # Label for this specific task
      group:       # Use the Ansible 'group' module to manage system groups
        name: "{{ item }}"           # Set the name of the group to the current item in the loop
        state: present       # Ensure the group exists; create it if it doesn’t
      loop:        # Loop over each item in the list below
        - dev      # First group name
        - qa       # Second group name
        - ops      # Third group name

Example 2: Automating User Creation with Group Assignments

Imagine you want to create a user named Jane, set a default password, assign her to the dev group, and ensure her account is set up exactly the same way everywhere.

Here’s a sample playbook:


---
- name: Create users with group assignments        # Name/description of the play
  hosts: all              # Apply this playbook to all hosts in the inventory
  become: true             # Use sudo to run tasks with elevated privileges
  vars:               # Define variables used in the play
    users:            # A list of user dictionaries
      - name: jane       # Username to be created
      password: "$6$randomsalt$G7k1Xnklz..."        # Hashed password (use `openssl passwd -6` to generate)
        groups: dev    # Primary group or additional groups
        shell: /bin/bash            # Login shell for the user
  tasks:               # List of tasks to perform
    - name: Ensure user exists      # Description of the task
      user:          # Use the Ansible 'user' module
        name: "{{ item.name }}"                     # Set the username from the 'users' list
        password: "{{ item.password}}"      # Set the hashed password
        groups: "{{ item.groups}}"          # Assign user to group(s)
        shell: "{{ item.shell}}"            # Set the login shell
        state: present       # Ensure the user is created (present on the system)
        create_home: yes   # Create a home directory if it doesn't exist
      loop: "{{ users }}"     # Loop through each user in the 'users' list

A few notes:

  • The password is hashed using SHA-512 (you can generate it using openssl passwd -6).

  • The playbook creates a home directory and assigns the proper shell.

  • You can scale this easily by adding more user definitions in the users list.

Example 3: Creating Multiple Users with Different Settings

If you're managing a team, each user might have different roles. Ansible’s flexibility makes this easy:


vars:                    # Define variables that can be used throughout the playbook
  users:               # Create a list variable named 'users'
    - name: alice          # First user's username is 'alice'
      password: "$6$somehash"     #Hashed password for alice (use `openssl passwd -6` to generate securely)
      groups: qa        # Assign alice to the 'qa' group
      shell: /bin/bash      # Set alice's login  shell to bash
    - name: bob          # Second user's username is 'bob'
      password: "$6$anotherhash"   # Hashed password for bob
      groups: ops       # Assign bob to the 'ops' group
      shell: /sbin/nologin   # Set bob's shell to 'nologin' (used to disable shell access for service etc.)

When this playbook runs, each user will be created with unique attributes, and because it's declarative, you can re-run it anytime to ensure everything remains consistent.

Example 4: Adding Users to Multiple Groups

You may need to add a user to more than one group. Here’s how:


- name: Add user to multiple groups     # Descriptive name of the task (not a command, just for clarity)
  user:              # Use the Ansible 'user' module to manage a user account
    name: chris          # Specify the username to manage (in this case, 'chris')
    groups: "dev,qa"         # Add the user to both 'dev' and 'qa' groups (comma-separated)
    append: yes          # Ensure these groups are added to existing group memberships instead of replacing them

The key here is append: yes — without it, Ansible would overwrite the user’s existing groups. With it, you’re simply adding to the list.

Example 5: Clean-Up and Deletion

Need to remove a user from a system entirely? No problem.


- name: Remove user account             # Description of the task
  user:               # Use Ansible's 'user' module to manage user accounts
    name: testuser         # Specify the username to be removed (in this case, 'testuser')
    state: absent         # Ensure the user is removed from the system
    remove: yes         # Also delete the user's home directory and mail spool

This not only deletes the user but also removes their home directory and mail spool.

 Troubleshooting Tips: Avoiding Common Pitfalls

As you begin automating user and group management, you might hit a few snags. Here’s how to avoid the most common ones:

  • Password Issues: Always use a hashed password generated with openssl passwd -6. Plaintext passwords won't work and can fail silently.

  • Group Assignment Errors: Ensure the group exists before assigning a user to it. Ansible won’t automatically create missing groups unless explicitly told to.

  • Permission Denied Errors: Make sure the user running the playbook has sudo privileges on the managed nodes. If needed, add become: true in both the play and tasks.

  • Missing Home Directories: Use create_home: yes in the user module to make sure users get their home directories created automatically.

These minor issues can be frustrating, but once resolved, your playbooks become bulletproof and safe to re-run as often as needed.

Explore Hands-On Practice: RHCE Lab on User Account Management

Reading about automation is one thing — applying it is where real learning happens. To solidify your skills, try our interactive RHCE user management lab:

🔗 Try the RHCE User Account Management Lab

This lab walks you through real-world RHCE-style scenarios using automation principles covered in this post. It’s tailored to EX200 prep and ideal for building repeatable, test-ready workflows.

Conclusion

Ansible isn't just a time-saver — it’s a skill-scaler. By turning user and group management into automated, reusable playbooks, you lay the foundation for modern infrastructure management. These small automations become even more valuable as your environment grows.

Even though Ansible isn’t on the EX200 directly, incorporating it into your RHCE practice gives you:

  • Cleaner lab setups

  • Consistent testing conditions

  • Time back to focus on core Linux skills

  • Readiness for higher-level exams like EX294

So start now. Write small playbooks. Automate one thing at a time. You'll be amazed how quickly it becomes second nature — and how much more efficient your admin work becomes.