Ubuntu

How to Add a New User to Sudoers on Ubuntu 26.04, 24.04 and 22.04

Add a new user to sudoers on Ubuntu 26.04, 24.04 and 22.04 server or desktop systems via the command-line terminal.

Last updatedAuthorJoshua JamesRead time7 minGuide typeUbuntu
Abstract illustration of an Ubuntu terminal where an admin prepares a new sudo-capable user.

Ubuntu keeps routine administration tied to sudo instead of an always-enabled root account, which makes delegated access easier to audit and easier to revoke. If you need to add a new user to sudoers on Ubuntu, the usual path is to create the account, place it in the sudo group, and confirm the new login can run privileged commands.

These examples cover Ubuntu 26.04 LTS, 24.04 LTS, and 22.04 LTS across desktop and server installs. The flow starts with group-based sudo access, then moves into custom rule files, access removal, and recovery checks for cases where sudo stops working.

Add a New User to Sudoers on Ubuntu

On Ubuntu, adding a user to sudoers usually means adding that account to the sudo group. Members of that group inherit Ubuntu’s default (ALL : ALL) ALL rule, so you only need a dedicated file in /etc/sudoers.d/ when you want narrower permissions.

TaskCommandWhat It Does
Create the accountsudo adduser newadminCreates the user, home directory, and password prompt in one workflow.
Grant sudo accesssudo usermod -aG sudo newadminAdds the account to the sudo group without stripping other group memberships.
Verify sudo accessgroups newadmin
sudo -l -U newadmin		Confirms the group membership and shows the sudo rule the user inherits.
Create a custom rulesudo visudo -f /etc/sudoers.d/newadminOpens a separate sudoers file for user-specific policies.
Remove sudo accesssudo gpasswd -d newadmin sudoRevokes group-based sudo access without deleting the account.

For Debian systems, use the separate guide to add a user to sudoers on Debian; other distributions may use a different administrator group or default policy.

You need to start from an account that already has sudo rights because Ubuntu keeps the root account locked by default.

Create the New Ubuntu User

Use adduser when you want the standard interactive workflow with password and profile prompts. Replace newadmin with the real account name you want to create.

sudo adduser newadmin

Press Enter for any optional fields you do not need, then confirm with Y when adduser asks whether the information is correct.

Confirm that the account exists before you grant administrator rights.

id newadmin
uid=1001(newadmin) gid=1001(newadmin) groups=1001(newadmin),100(users)

Ubuntu 22.04 often shows only the primary group here, while 24.04 and 26.04 commonly add users by default. The important part is that the user and home directory were created successfully.

Add the Ubuntu User to the sudo Group

On Ubuntu, add a user to the sudo group with usermod. The -aG flags append a supplementary group, so existing memberships stay in place.

sudo usermod -aG sudo newadmin

This is the standard way to promote an existing Ubuntu account because the group membership is what grants the default sudo rule.

Do not add normal administrators to the root group, and do not look for an old admin group on current Ubuntu releases. Root-level administration comes from sudo policy, and Ubuntu’s default policy grants that access through the sudo group.

Do not drop the -a flag. Running usermod -G sudo newadmin replaces the user’s supplementary groups instead of appending the new one.

Add the User to the sudo Group with adduser on Ubuntu

If you are still working through the interactive account-creation flow, adduser can also append the user to the sudo group.

sudo adduser newadmin sudo

This is convenient when you want a short, linear workflow and do not need the lower-level usermod syntax.

Add the User to the sudo Group with gpasswd on Ubuntu

gpasswd works well for direct group-management tasks because it only changes the named group membership.

sudo gpasswd -a newadmin sudo

Use this option when your automation already revolves around direct group management rather than the broader account tools.

Create and Grant sudo Access with useradd on Ubuntu

Use useradd when you want the lower-level workflow or you are scripting each account step explicitly.

sudo useradd -m -s /bin/bash newadmin
sudo passwd newadmin
sudo usermod -aG sudo newadmin

This sequence creates the home directory, sets the default shell, prompts for a password, and then grants sudo through the same group-based rule.

Verify sudo Access on Ubuntu

Check both the group membership and the sudo rule before you hand the account to someone else. The -U flag tells sudo -l to inspect another user’s rules without switching into that account first.

groups newadmin
sudo -l -U newadmin
newadmin : newadmin sudo users

User newadmin may run the following commands on ubuntu-26-04:
  (ALL : ALL) ALL

Ubuntu 24.04 and 22.04 also print a Matching Defaults entries block above the final rule line, and some systems omit the optional users group. The important part is that sudo appears in the group list and the final sudo rule grants ALL.

Finish with a fresh login session and a harmless privileged command so the updated membership is active in a real shell.

su - newadmin
sudo whoami
root

Configure Custom sudoers Rules on Ubuntu

Group membership is enough for most administrators, but a dedicated sudoers file makes more sense when one user needs a narrow command set or a passwordless exception.

Always edit sudo policy with visudo. It checks syntax before saving, which is the safest way to avoid locking yourself out of sudo.

If you use NOPASSWD:, keep it limited to commands you trust and audit often.

Open a dedicated file under /etc/sudoers.d/ instead of editing the main /etc/sudoers file directly. The -f flag tells visudo which policy file to open.

sudo visudo -f /etc/sudoers.d/newadmin

A full-access rule for one user looks like this:

newadmin ALL=(ALL:ALL) ALL

After you save the file, run a syntax check before you rely on it.

sudo visudo -cf /etc/sudoers.d/newadmin
/etc/sudoers.d/newadmin: parsed OK

Restrict sudo to Specific Commands on Ubuntu

Limit the rule to exact commands when a user only needs a small slice of administrative access.

webadmin ALL=(ALL:ALL) /usr/bin/systemctl restart nginx, /usr/bin/systemctl status nginx

Use absolute paths so a fake binary earlier in the PATH cannot hijack the rule, and avoid wildcards unless you have tested every edge case.

For read-only automation, add NOPASSWD: ahead of the approved command list and keep the scope narrow.

monitor ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl status nginx, /usr/bin/journalctl -u nginx

Remove sudo Access on Ubuntu

Revoke administrator access by removing the user from the sudo group and deleting any custom rule file you created for that account.

sudo gpasswd -d newadmin sudo
sudo rm -f /etc/sudoers.d/newadmin
Removing user newadmin from group sudo

Verify that the group membership is gone and that sudo denies the account.

groups newadmin
sudo -l -U newadmin
newadmin : newadmin users

User newadmin is not allowed to run sudo on ubuntu-24-04.

Ubuntu 22.04 often shows only the user’s primary group after removal, while 24.04 and 26.04 commonly keep users as an extra group. In every case, sudo should be missing and sudo -l -U should deny access.

Understand sudo vs su on Ubuntu

sudo runs one command with elevated privileges and records which user requested that elevation. su switches the entire shell to another account, usually root.

That difference matters because sudo asks for the calling user’s password and keeps the audit trail tied to that account. Multiple administrators can share the same system without sharing the root password.

su - still has a place for recovery work, but Ubuntu locks the root account by default, so it is not the normal day-to-day path for system administration.

Prepare a Break-Glass Recovery Path on Ubuntu

Across supported Ubuntu releases, the root account starts locked. You can confirm that status before you ever need recovery access.

sudo passwd -S root | cut -d' ' -f1,2
root L

The full status output includes date and aging fields that can differ by release and locale. The second field, L, is the important part because it means the account is locked. If you need a temporary recovery password or want the full reset workflow, use the guide to change or reset the root password on Ubuntu instead of improvising during an outage.

Test your cloud console, hypervisor console, or other out-of-band access before you need it. Recovery mode is much less stressful when you already know how to reach it.

Best Practices for sudo Access on Ubuntu

Grant sudo only to named user accounts that actually need it, and remove access as soon as the task or role ends. That keeps your audit trail clear and limits privilege creep.

When you create custom rules, prefer exact command paths over broad patterns and keep NOPASSWD: reserved for low-risk automation. A short allowlist is easier to reason about than a convenient wildcard that quietly grows into full root access.

For remote administration, pair sudo with a hardened access path. Use the guide to install SSH on Ubuntu if the system does not already expose secure remote logins. Then configure UFW firewall on Ubuntu so privileged access stays reachable without staying wide open.

Troubleshoot sudo Access on Ubuntu

These are the failure states most administrators hit when they add or edit sudo access on Ubuntu.

Fix “User Is Not in the sudoers File” on Ubuntu

This error usually means the account never joined the sudo group, or the user is still running an old session that has not picked up the new membership.

testuser is not in the sudoers file. This incident will be reported.

Start by checking the user’s current group list from an account that already has sudo access.

groups testuser
testuser : testuser

If sudo is missing, add the user to the correct group and then start a fresh login session.

sudo usermod -aG sudo testuser

Verify the fix from the user’s new session.

su - testuser
sudo whoami
root

Refresh Group Membership After Adding sudo on Ubuntu

Adding a user to the sudo group does not retroactively update shells that were already open.

groups
testuser

Open a new login shell, or start a new SSH session, and then check again.

su - testuser
groups
testuser sudo

Some systems also show users after the new login. What matters is that sudo appears in the refreshed session. newgrp sudo changes the current shell’s primary group, but it is not a replacement for a real new login when you are testing sudo access.

Fix sudoers Syntax Errors on Ubuntu

Validate the file first when a custom rule stops working. That is faster and safer than guessing inside the editor.

sudo visudo -cf /etc/sudoers.d/webadmin
/etc/sudoers.d/webadmin:1:19: expecting ')' but found 'A'
webadmin ALL=(ALL ALL) /usr/bin/systemctl
          ^
/etc/sudoers.d/webadmin:1:19: syntax error: expecting ')' but found 'A'
webadmin ALL=(ALL ALL) /usr/bin/systemctl
          ^
visudo: invalid sudoers file

Reopen the file with visudo, fix the syntax, and rerun the same visudo -cf check until it parses cleanly.

sudo visudo -f /etc/sudoers.d/webadmin

Recover from Broken sudo Access on Ubuntu

If you remove your own sudo access or save a broken policy file, you need console access because SSH alone may not be enough to recover the machine.

Boot into the recovery entry from GRUB, choose the root shell, and remount the filesystem read-write before you start fixing accounts or files.

mount -o remount,rw /

Add your administrator account back to the sudo group if the membership was removed.

usermod -aG sudo yourusername

If the problem came from a broken file under /etc/sudoers.d/, open that file directly and repair or remove it.

visudo -f /etc/sudoers.d/problematic-file

Reboot into the normal system after the fix, then confirm sudo works before you close the console.

reboot
sudo whoami
root

Conclusion

A new user now has sudo access on Ubuntu through the standard sudo group workflow, and dedicated rule files are ready when you need narrower command access. For remote administration, finish by hardening SSH, limiting inbound access, and keeping your break-glass recovery path documented before you actually need it.

Share this guide

Help another Linux user troubleshoot faster

Share this guide with someone troubleshooting Linux systems or saving it for later.

BlueskyRedditXTumblrFacebookLinkedIn
Follow LinuxCapable

Want more LinuxCapable guides in Google?

Add LinuxCapable as a preferred source so Google can show more of our fresh Linux tutorials in Top Stories and From your sources when relevant.

Add LinuxCapable as a preferred source on Google
Search LinuxCapable

Need another guide?

Search LinuxCapable for package installs, commands, troubleshooting, and follow-up guides related to what you just read.

Found this guide useful?

Support LinuxCapable to keep tutorials free and up to date.

Buy me a coffeeBuy me a coffee
Before commenting, please review our Comments Policy.
Formatting tips for your comment

You can use basic HTML to format your comment. Useful tags currently allowed in published comments:

You type Result
<code>command</code> command
<strong>bold</strong> bold
<em>italic</em> italic
<blockquote>quote</blockquote> quote block

Got a Question or Feedback?

We read and reply to every comment - let us know how we can help or improve this guide.

Verify before posting: