You SSH into a new VPS and within minutes you want to know what user accounts are actually sitting on this machine. Especially if it is not a clean install — maybe it came with a control panel, or you inherited it from someone else.
Ubuntu keeps all of this in a few files and logs. This guide covers how to read them, from a basic cat to full login history, on Ubuntu 22.04 and 24.04 LTS.
Why User Management Matters on a VPS
On a VPS or dedicated server, user accounts pile up without you noticing. The operating system creates them automatically for services, control panels, and databases. Over time, the list grows and it becomes easy to lose track. Regular user audits help you:
- spot stale or unauthorized accounts that could be exploited as an entry point;
- confirm that the right people have the right permissions — and nobody else does;
- identify which service is running under which account;
- clean up after package installations, since many system packages add their own service accounts silently.
Method 1: /etc/passwd — The Complete Account List
The most straightforward approach is reading /etc/passwd directly. This plain-text file is a universal standard across all Linux distributions and contains information about every account on the system: name, identifiers, home directory, and login shell.
Connect to your server via SSH and run:
cat /etc/passwd
Each line describes one account and contains seven colon-separated fields:
username:password:UID:GID:comment:home_directory:shell
The password field always shows x on modern Ubuntu installations — the actual password hash lives in /etc/shadow, which is only readable by root. The UID (User ID) value tells you a lot: 0 is always root, UIDs from 1 to 999 are reserved for system accounts, and UIDs from 1000 upward belong to real human users.
Method 2: Names Only — Filtering the Output
The full /etc/passwd output contains a lot of noise. When you only need the list of usernames, use one of these cleaner approaches.
Using sed
sed 's/:.*//' /etc/passwd
This strips everything after the first colon, leaving just the account names.
Using cut — arguably more readable
cut -d: -f1 /etc/passwd
Same result, but the syntax is more self-explanatory: grab field number 1, using colon as the delimiter. Both commands produce identical output — choose whichever you find easier to remember.
💡 Pro tip: to list only real human users (UID 1000 and above) and skip service accounts, run:
awk -F: '$3 >= 1000 {print $1}' /etc/passwd
Method 3: getent passwd — The Modern Approach
The getent passwd command is actually the preferred tool over reading /etc/passwd directly. Unlike cat, it queries all configured user databases, not just the local file. On servers with LDAP, NIS, or other directory services configured, cat /etc/passwd will miss those remote accounts entirely — getent will not.
getent passwd
To print only usernames:
getent passwd | cut -d: -f1
To list only human users with their UIDs and home directories:
getent passwd | awk -F: '$3 >= 1000 {print $1, $3, $6}'
💡 On a typical VPS there is usually no practical difference between
getent passwdandcat /etc/passwd, butgetentis the correct habit to build.
Who Is Logged In Right Now?
Knowing all registered accounts is useful, but often you specifically need to see who is actively connected to the server at this moment. Ubuntu offers several tools for that.
The who command
who
Displays active sessions with the username, terminal, login time, and the IP address of the connection. Very handy on a server shared among multiple administrators.
The w command — the extended version
w
In addition to listing connected users, w shows their idle time, the command they are currently running, and the overall server load average. This is excellent for quick diagnostics — if the server feels sluggish, you can immediately see who launched what.
The users command
users
The most minimal option — just prints all active usernames on a single line. Nothing else.
Login History: Who Has Been On Your Server?
For security auditing it matters not just who is online now, but who has logged in previously. Ubuntu writes login records to /var/log/wtmp, which you can read with the following tools.
Full login history — last
last -a
The -a flag appends the hostname or IP address to the end of each line, which makes reading the output easier when you want to correlate logins with source addresses. The list is sorted in reverse chronological order, newest entries first.
To limit output to the last 20 entries:
last -a -n 20
To check the history for a specific user:
last -a username
Last login per user — lastlog
lastlog
This is the quickest way to spot dormant accounts — ones that nobody has used in a long time. System service accounts will show "Never logged in" since they are not designed for interactive use. Human accounts with old last-login dates deserve a second look.
💡 If an account has not been used in months, consider disabling it:
sudo usermod -L usernameLocking is safer than deleting — you can always unlock later if needed.
Inspecting a Specific User Account
When you need detailed information about a particular account — its numeric identifiers and group memberships — use the id command:
id username
The output looks like this:
uid=1000(alex) gid=1000(alex) groups=1000(alex),4(adm),27(sudo),1001(docker)
This shows the UID, the primary group, and all supplementary groups. If you see sudo in the groups list, that user can run commands with root privileges. If you see docker, they have full control over containers — which is effectively the same as root access.
To print only the groups for a user:
groups username
To check your own current user and groups:
id
whoami
Graphical Interface: Ubuntu Settings and KUser
If a desktop environment is installed on the server (uncommon on VPS but not unheard of), Ubuntu provides graphical user management tools as well.
On GNOME, open Settings and scroll down to find the Accounts section. It lists all system users with their account type (standard or administrator), auto-login status, and last login time. You can add and remove users without touching the terminal.
The KDE Plasma environment includes KUser, a more feature-rich utility. It shows UIDs, home directories, login shells, and lets you manage group memberships directly. A dedicated password management tab makes it convenient for desktop-side administration.
Keep in mind: graphical tools cannot show you login history or active sessions the way terminal commands do. On a VPS, the terminal is always the right choice.
Quick Reference: All Commands at a Glance
| Command | What it does |
|---|---|
getent passwd |
Full list of all accounts (recommended) |
cut -d: -f1 /etc/passwd |
Usernames only, all accounts |
awk -F: '$3 >= 1000 {print $1}' /etc/passwd |
Real (non-system) users only |
w |
Active users plus server load overview |
who |
Active sessions with connection IPs |
last -a |
Full login history |
lastlog |
Last login date per account |
id username |
UID, GID, and groups for a specific user |
groups username |
Group list for a specific user |
Security Recommendations for VPS Owners
Knowing how to list users is step one. Step two is making it a regular habit and acting on what you find.
- Review the user list after installing new packages or control panels — they often add service accounts silently.
- Lock unused accounts with
sudo usermod -L usernameinstead of deleting them; it is easier to reverse if needed. - Disable password-based SSH logins entirely — use key authentication only (
PasswordAuthentication noin/etc/ssh/sshd_config). - Restrict SSH access to specific users with the
AllowUsersdirective in the sshd config. - Review
/var/log/auth.logperiodically for repeated failed login attempts — a classic sign of a brute-force attack in progress.
Conclusion
The commands are simple and work on any Ubuntu VPS without installing anything extra. If you are still looking for a server — the PQ.Hosting catalog has VPS options across a wide range of locations and configurations.
One thing worth keeping in mind: lastlog and last are the first places to check when something goes wrong with access. Bookmark the cheat sheet above.