How to Add a New User to Sudoers on Ubuntu Linux

Ubuntu keeps routine administration tied to sudo instead of an always-enabled root account, which makes delegated access easier to audit and easier to revoke. If you need to add a new user to sudoers on Ubuntu, the usual path is to create the account, place it in the sudo group, and confirm the new login can run privileged commands.

These steps work on Ubuntu 26.04, 24.04, and 22.04 on both desktop and server installs. The same workflow extends cleanly to custom sudoers rules, recovery options, and fast privilege removal when a role changes.

Add a New User to Sudoers on Ubuntu

On Ubuntu, adding a user to sudoers usually means adding that account to the sudo group. Members of that group inherit Ubuntu’s default (ALL : ALL) ALL rule, so you only need a dedicated file in /etc/sudoers.d/ when you want narrower permissions.

Task	Command	What It Does
Create the account	sudo adduser newadmin	Creates the user, home directory, and password prompt in one workflow.
Grant sudo access	sudo usermod -aG sudo newadmin	Adds the account to the sudo group without stripping other group memberships.
Verify sudo access	groups newadmin sudo -l -U newadmin	Confirms the group membership and shows the sudo rule the user inherits.
Create a custom rule	sudo visudo -f /etc/sudoers.d/newadmin	Opens a separate sudoers file for user-specific policies.
Remove sudo access	sudo gpasswd -d newadmin sudo	Revokes group-based sudo access without deleting the account.

These commands work on Ubuntu 26.04 (Resolute Raccoon), 24.04 (Noble Numbat), and 22.04 (Jammy Jellyfish). Server and desktop installs use the same sudo group model, so the workflow stays the same across all three supported releases.

You need to start from an account that already has sudo rights because Ubuntu keeps the root account locked by default.

Create the New Ubuntu User

Use adduser when you want the standard interactive workflow with password and profile prompts. Replace newadmin with the real account name you want to create.

sudo adduser newadmin

Press Enter for any optional fields you do not need, then confirm with Y when adduser asks whether the information is correct.

Confirm that the account exists before you grant administrator rights.

id newadmin

uid=1001(newadmin) gid=1001(newadmin) groups=1001(newadmin),100(users)

Ubuntu 22.04 often shows only the primary group here, while 24.04 and 26.04 commonly add users by default. The important part is that the user and home directory were created successfully.

Add the Ubuntu User to the sudo Group

On Ubuntu, add a user to the sudo group with usermod. The -aG flags append a supplementary group, so existing memberships stay in place.

sudo usermod -aG sudo newadmin

This is the standard way to promote an existing Ubuntu account because the group membership is what grants the default sudo rule.

Add the User to the sudo Group with adduser on Ubuntu

If you are still working through the interactive account-creation flow, adduser can also append the user to the sudo group.

sudo adduser newadmin sudo

This is convenient when you want a short, linear workflow and do not need the lower-level usermod syntax.

Add the User to the sudo Group with gpasswd on Ubuntu

gpasswd works well in scripts because it only manages group membership and stays idempotent when the user is already present.

sudo gpasswd -a newadmin sudo

Use this option when your automation already revolves around direct group management rather than the broader account tools.

Create and Grant sudo Access with useradd on Ubuntu

Minimal images sometimes skip the friendlier helpers, so useradd remains useful when you want a fully manual workflow.

sudo useradd -m -s /bin/bash newadmin
sudo passwd newadmin
sudo usermod -aG sudo newadmin

This sequence creates the home directory, sets the default shell, prompts for a password, and then grants sudo through the same group-based rule.

Verify sudo Access on Ubuntu

Check both the group membership and the sudo rule before you hand the account to someone else. The -U flag tells sudo -l to inspect another user’s rules without switching into that account first.

groups newadmin
sudo -l -U newadmin

newadmin : newadmin sudo users

User newadmin may run the following commands on ubuntu-26-04:
  (ALL : ALL) ALL

Ubuntu 24.04 and 22.04 also print a Matching Defaults entries block above the final rule line, and some systems omit the optional users group. The important part is that sudo appears in the group list and the final sudo rule grants ALL.

Finish with a fresh login session and a harmless privileged command so the updated membership is active in a real shell.

su - newadmin
sudo whoami

root

Configure Custom sudoers Rules on Ubuntu

Group membership is enough for most administrators, but a dedicated sudoers file makes more sense when one user needs a narrow command set or a passwordless exception.

Always edit sudo policy with visudo. It checks syntax before saving, which is the safest way to avoid locking yourself out of sudo.

If you use NOPASSWD:, keep it limited to commands you trust and audit often.

Open a dedicated file under /etc/sudoers.d/ instead of editing the main /etc/sudoers file directly. The -f flag tells visudo which policy file to open.

sudo visudo -f /etc/sudoers.d/newadmin

A full-access rule for one user looks like this:

newadmin ALL=(ALL:ALL) ALL

After you save the file, run a syntax check before you rely on it.

sudo visudo -cf /etc/sudoers.d/newadmin

/etc/sudoers.d/newadmin: parsed OK

Restrict sudo to Specific Commands on Ubuntu

Limit the rule to exact commands when a user only needs a small slice of administrative access.

webadmin ALL=(ALL:ALL) /usr/bin/systemctl restart nginx, /usr/bin/systemctl status nginx

Use absolute paths so a fake binary earlier in the PATH cannot hijack the rule, and avoid wildcards unless you have tested every edge case.

For read-only automation, add NOPASSWD: ahead of the approved command list and keep the scope narrow.

monitor ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl status nginx, /usr/bin/journalctl -u nginx

Remove sudo Access on Ubuntu

Revoke administrator access by removing the user from the sudo group and deleting any custom rule file you created for that account.

sudo gpasswd -d newadmin sudo
sudo rm -f /etc/sudoers.d/newadmin

Removing user newadmin from group sudo

Verify that the group membership is gone and that sudo denies the account.

groups newadmin
sudo -l -U newadmin

newadmin : newadmin users

User newadmin is not allowed to run sudo on ubuntu-24-04.

Ubuntu 22.04 often shows only the user’s primary group after removal, while 24.04 and 26.04 commonly keep users as an extra group. In every case, sudo should be missing and sudo -l -U should deny access.

Understand sudo vs su on Ubuntu

sudo runs one command with elevated privileges and records which user requested that elevation. su switches the entire shell to another account, usually root.

That difference matters because sudo asks for the calling user’s password and keeps the audit trail tied to that account. Multiple administrators can share the same system without sharing the root password.

su - still has a place for recovery work, but Ubuntu locks the root account by default, so it is not the normal day-to-day path for system administration.

Prepare a Break-Glass Recovery Path on Ubuntu

Across supported Ubuntu releases, the root account starts locked. You can confirm that status before you ever need recovery access.

sudo passwd -S root

root L 2026-02-10 0 99999 7 -1

The second field, L, is the important part because it means the account is locked. If you need a temporary recovery password or want the full reset workflow, use the guide to change or reset the root password on Ubuntu instead of improvising during an outage.

Test your cloud console, hypervisor console, or other out-of-band access before you need it. Recovery mode is much less stressful when you already know how to reach it.

Best Practices for sudo Access on Ubuntu

Grant sudo only to named user accounts that actually need it, and remove access as soon as the task or role ends. That keeps your audit trail clear and limits privilege creep.

When you create custom rules, prefer exact command paths over broad patterns and keep NOPASSWD: reserved for low-risk automation. A short allowlist is easier to reason about than a convenient wildcard that quietly grows into full root access.

For remote administration, pair sudo with a hardened access path. Use the guide to install SSH on Ubuntu if the system does not already expose secure remote logins. Then configure UFW firewall on Ubuntu so privileged access stays reachable without staying wide open.

Troubleshoot sudo Access on Ubuntu

These are the failure states most administrators hit when they add or edit sudo access on Ubuntu.

Fix “User Is Not in the sudoers File” on Ubuntu

This error usually means the account never joined the sudo group, or the user is still running an old session that has not picked up the new membership.

testuser is not in the sudoers file. This incident will be reported.

Start by checking the user’s current group list from an account that already has sudo access.

groups testuser

testuser : testuser

If sudo is missing, add the user to the correct group and then start a fresh login session.

sudo usermod -aG sudo testuser

Verify the fix from the user’s new session.

su - testuser
sudo whoami

root

Refresh Group Membership After Adding sudo on Ubuntu

Adding a user to the sudo group does not retroactively update shells that were already open.

groups

testuser

Open a new login shell, or start a new SSH session, and then check again.

su - testuser
groups

testuser sudo

Some systems also show users after the new login. What matters is that sudo appears in the refreshed session. newgrp sudo changes the current shell’s primary group, but it is not a replacement for a real new login when you are testing sudo access.

Fix sudoers Syntax Errors on Ubuntu

Validate the file first when a custom rule stops working. That is faster and safer than guessing inside the editor.

sudo visudo -cf /etc/sudoers.d/webadmin

/etc/sudoers.d/webadmin:1:19: expecting ')' but found 'A'
webadmin ALL=(ALL ALL) /usr/bin/systemctl
          ^
/etc/sudoers.d/webadmin:1:19: syntax error: expecting ')' but found 'A'
webadmin ALL=(ALL ALL) /usr/bin/systemctl
          ^
visudo: invalid sudoers file

Reopen the file with visudo, fix the syntax, and rerun the same visudo -cf check until it parses cleanly.

sudo visudo -f /etc/sudoers.d/webadmin

Recover from Broken sudo Access on Ubuntu

If you remove your own sudo access or save a broken policy file, you need console access because SSH alone may not be enough to recover the machine.

Boot into the recovery entry from GRUB, choose the root shell, and remount the filesystem read-write before you start fixing accounts or files.

mount -o remount,rw /

Add your administrator account back to the sudo group if the membership was removed.

usermod -aG sudo yourusername

If the problem came from a broken file under /etc/sudoers.d/, open that file directly and repair or remove it.

visudo -f /etc/sudoers.d/problematic-file

Reboot into the normal system after the fix, then confirm sudo works before you close the console.

reboot

sudo whoami

root

Ubuntu sudoers FAQ

Conclusion

A new user now has sudo access on Ubuntu through the standard sudo group workflow, and dedicated rule files are ready when you need narrower command access. For remote administration, finish by hardening SSH, limiting inbound access, and keeping your break-glass recovery path documented before you actually need it.