Configuring Users and Permissions on Linux and Windows: A Complete Guide

Posted on by No Comments ↓

Setting up users and permissions correctly is crucial for system security and management. Whether you’re configuring a Linux server or a Windows workstation, understanding user management and access control is a fundamental skill for any system administrator or developer.

In this comprehensive guide, we’ll walk through the essential steps for configuring users and permissions on both Linux and Windows systems from scratch.

Table of Contents

  • Linux User Configuration
  • Windows User Configuration
  • Best Practices

Linux User Configuration

Creating Users

Adding a New User

The useradd command creates a new user account: 

# Basic user creation
sudo useradd username

# Create user with home directory
sudo useradd -m username

# Create user with specific shell
sudo useradd -m -s /bin/bash username

# Create user with additional options
sudo useradd -m -c "Full Name" -s /bin/bash username

Note: On Ubuntu/Debian systems, adduser provides a more interactive approach: 

sudo adduser username

Setting User Password

sudo passwd username

Configuring Admin Privileges

Adding User to Sudo Group

# On Ubuntu/Debian
sudo usermod -aG sudo username

# On CentOS/RHEL/Fedora
sudo usermod -aG wheel username

Editing Sudoers File

For more granular control, edit the sudoers file: 

sudo visudo

Add specific permissions: 

# Allow user to run all commands
username ALL=(ALL:ALL) ALL

# Allow user to run specific commands without password
username ALL=(ALL) NOPASSWD: /usr/bin/systemctl, /usr/sbin/reboot

# Allow user to run commands as specific user
username ALL=(otheruser) ALL

Important: Always use visudo to edit the sudoers file to prevent syntax errors that could lock you out.

Configuring SSH Access

Setting Up SSH Keys

  1. On the client machine, generate an SSH key pair: 
ssh-keygen -t ed25519 -C "your_email@example.com"
  1. Copy the public key to the server: 
ssh-copy-id username@server_ip

Or manually: 

cat ~/.ssh/id_ed25519.pub | ssh username@server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Securing SSH Configuration

Edit /etc/ssh/sshd_config: 

sudo nano /etc/ssh/sshd_config

Recommended security settings: 

# Disable root login
PermitRootLogin no

# Disable password authentication (use keys only)
PasswordAuthentication no
PubkeyAuthentication yes

# Only allow specific users
AllowUsers username1 username2

# Change default port (optional)
Port 2222

# Disable empty passwords
PermitEmptyPasswords no

Restart SSH service: 

sudo systemctl restart sshd

Managing File Permissions

Understanding Linux Permissions

Linux uses three permission types:

  • r (read) = 4
  • w (write) = 2
  • x (execute) = 1

For three user categories:

  • Owner
  • Group
  • Others

Setting Permissions

# Numeric method
chmod 755 filename  # rwxr-xr-x
chmod 644 filename  # rw-r--r--
chmod 600 filename  # rw-------

# Symbolic method
chmod u+x filename    # Add execute for owner
chmod g-w filename    # Remove write for group
chmod o=r filename    # Set read-only for others
chmod a+r filename    # Add read for all

Changing Ownership

# Change owner
sudo chown username filename

# Change owner and group
sudo chown username:groupname filename

# Recursive for directories
sudo chown -R username:groupname /path/to/directory

User Groups Management

Creating Groups

sudo groupadd developers

Adding Users to Groups

# Add user to group
sudo usermod -aG groupname username

# Add user to multiple groups
sudo usermod -aG group1,group2,group3 username

# View user's groups
groups username
id username

Setting Group Permissions

# Change group ownership
sudo chgrp developers /opt/project

# Set group permissions with setgid
chmod g+s /opt/project

Note: The setgid bit ensures new files inherit the directory’s group.

Windows User Configuration

Creating Users

Using GUI (Settings)

  1. Open SettingsAccountsFamily & other users
  2. Click Add someone else to this PC
  3. Choose I don’t have this person’s sign-in information
  4. Select Add a user without a Microsoft account
  5. Enter username and password

Using Command Prompt

REM Create a new user
net user username password /add

REM Create user with full name
net user username password /add /fullname:"John Doe"

Using PowerShell

# Create a secure credential
$Password = Read-Host -AsSecureString "Enter Password"
New-LocalUser "username" -Password $Password -FullName "Full Name" -Description "User Description"

# Create user with specific options
New-LocalUser -Name "username" -Password $Password -PasswordNeverExpires:$false -UserMayNotChangePassword:$false

Setting Admin Privileges

Using Command Prompt

REM Add user to Administrators group
net localgroup Administrators username /add

REM Add user to other groups
net localgroup "Remote Desktop Users" username /add
net localgroup "Power Users" username /add

Using PowerShell

# Add user to Administrators group
Add-LocalGroupMember -Group "Administrators" -Member "username"

# Add user to multiple groups
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "username"
Add-LocalGroupMember -Group "Power Users" -Member "username"

Viewing User Groups

net user username

Or in PowerShell: 

Get-LocalGroupMember -Group "Administrators"

Configuring Remote Desktop Protocol (RDP)

Enabling RDP

Via GUI:

  1. Open SettingsSystemRemote Desktop
  2. Toggle Enable Remote Desktop to On

Via Command Prompt (as Administrator): 

REM Enable RDP
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

REM Enable RDP through firewall
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

Via PowerShell: 

# Enable RDP
Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal Server' -Name "fDenyTSConnections" -Value 0

# Enable firewall rule
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Adding Users to RDP Access

net localgroup "Remote Desktop Users" username /add

Securing RDP

  1. Change default port (optional): 
Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -Name "PortNumber" -Value 3390
  1. Enable Network Level Authentication (NLA): 
Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -Name "UserAuthentication" -Value 1
  1. Limit RDP access to specific users (done via Remote Desktop Users group)

Managing Permissions and User Groups

Creating User Groups

Using Command Prompt: 

net localgroup "Developers" /add /comment:"Development Team"

Using PowerShell: 

New-LocalGroup -Name "Developers" -Description "Development Team"

Adding Users to Groups

net localgroup "Developers" username /add

Or PowerShell: 

Add-LocalGroupMember -Group "Developers" -Member "username"

File and Folder Permissions

Using GUI:

  1. Right-click file/folder → PropertiesSecurity tab
  2. Click EditAdd to add users/groups
  3. Set permissions (Read, Write, Modify, Full Control)

Using Command Prompt (icacls): 

REM Grant read permission
icacls "C:PathToFile" /grant username:R

REM Grant modify permission
icacls "C:PathToFolder" /grant username:M

REM Grant full control
icacls "C:PathToFolder" /grant username:F

REM Remove permissions
icacls "C:PathToFile" /remove username

REM Inherit permissions from parent
icacls "C:PathToFolder" /inheritance:e

Using PowerShell: 

# Get current ACL
$acl = Get-Acl "C:PathToFolder"

# Create new access rule
$permission = "username","FullControl","ContainerInherit,ObjectInherit","None","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission

# Add the rule
$acl.SetAccessRule($accessRule)
Set-Acl "C:PathToFolder" $acl

Common Permission Levels

  • Full Control: Complete access to modify, read, write, and delete
  • Modify: Read, write, and delete (cannot change permissions)
  • Read & Execute: View and run files
  • Read: View files only
  • Write: Create new files and modify existing ones

Best Practices

Linux Best Practices

  1. Use strong passwords or better yet, SSH keys only
  2. Follow principle of least privilege – grant minimum necessary permissions
  3. Disable root SSH access – use sudo instead
  4. Regularly audit user accounts and remove unused accounts
  5. Use fail2ban to protect against brute force attacks
  6. Keep groups organized – create groups for different roles/projects
  7. Set appropriate umask values (e.g., 027 or 077)
  8. Monitor sudo usage via logs in /var/log/auth.log
  9. Use SSH key passphrase for additional security
  10. Implement two-factor authentication for SSH when possible

Windows Best Practices

  1. Use complex passwords that meet Windows complexity requirements
  2. Enable User Account Control (UAC) for elevation prompts
  3. Limit Administrator group membership – use standard accounts for daily tasks
  4. Enable Windows Firewall and configure RDP access rules
  5. Use Network Level Authentication (NLA) for RDP
  6. Regularly review group memberships and permissions
  7. Implement account lockout policies to prevent brute force
  8. Use Group Policy for centralized user management in domain environments
  9. Enable audit logging for user activities
  10. Consider using Microsoft accounts for additional security features

Universal Best Practices

  1. Document your user and permission structure
  2. Implement regular password rotation policies
  3. Use descriptive usernames and group names
  4. Test permissions before deploying to production
  5. Back up user configurations and permission settings
  6. Train users on security practices
  7. Implement monitoring and alerting for suspicious activities
  8. Use multi-factor authentication wherever possible
  9. Separate duties – avoid single points of failure
  10. Keep systems updated with security patches

Conclusion

Proper user and permission management is the foundation of system security. While Linux and Windows take different approaches, both systems provide robust tools for creating users, assigning privileges, and managing access control.

Key takeaways:

  • Linux relies heavily on file permissions, groups, and sudo for privilege escalation, with SSH being the standard for remote access
  • Windows uses a more GUI-centric approach with robust command-line alternatives, utilizing user groups and ACLs for fine-grained control
  • Both systems benefit from following security best practices, including least privilege principles, strong authentication, and regular auditing

By following the steps outlined in this guide, you’ll be well-equipped to configure secure, well-organized user environments on both platforms.

Have questions or additional tips? Share them in the comments below!

What’s your preferred method for managing users – GUI or command line? Let me know in the comments!

Leave a Reply