CCNA Manage users and groups Questions

48 questions · Manage users and groups · All types, answers revealed

1
Multi-Selectmedium

Which TWO commands can change the primary group of an existing user?

Select 2 answers
A.usermod -aG
B.gpasswd -a
C.vigr
D.groupmems -a
E.useradd -G
AnswersA, B

The -aG option appends the user to specified supplementary groups.

Why this answer

The `usermod -g` command (not `-aG`, which adds supplementary groups) changes the primary group of an existing user. The `gpasswd -a` command adds a user to a group, but it does not change the primary group; it only affects supplementary group membership. Therefore, neither option A nor B is correct for changing the primary group.

The correct commands are `usermod -g` (to set the primary group) and `usermod -G` (to set supplementary groups, but not the primary).

Exam trap

The trap here is confusing the `-g` (primary group) and `-G` (supplementary groups) flags with `usermod`, and assuming `gpasswd -a` or `groupmems -a` can change the primary group when they only manage supplementary membership.

2
MCQmedium

An administrator needs to create a user account that will be used by an application service. The account should not have a valid shell or home directory. Which command correctly creates such an account?

A.useradd -r -M -s /bin/false appuser
B.useradd -r -s /sbin/nologin -M appuser
C.useradd -r -s /sbin/nologin appuser
D.useradd -s /bin/false -M appuser
AnswerB

Correctly disables login and skips home directory creation.

Why this answer

Option D is correct because it combines -r (system account), -s /sbin/nologin (invalid shell), and -M (no home directory). Option A lacks -M, Option B lacks -r, Option C uses /bin/false which is not a standard nologin shell.

3
MCQmedium

Refer to the exhibit. A user named 'carol' has been added to the system with the command useradd -G wheel carol. Which line in /etc/group will confirm that carol is now a member of the wheel group?

A.wheel:x:10:carol,root,alice,bob
B.wheel:x:10:root,alice,bob,carol
C.wheel:x:10:root,alice,bob,carol,
D.wheel:x:10:root,alice,bob carol
AnswerB

Option A is correct; useradd -G appends the user to the comma-separated member list without a trailing comma.

4
MCQhard

A user reports that they can log in but cannot change their password. Which file might be misconfigured?

A./etc/shadow with an expiration date in the past
B./etc/group with no user entry
C./etc/login.defs with PASS_MAX_DAYS set to 0
D./etc/passwd with incorrect shell
AnswerA

Option A is correct: if the shadow entry has an expired password (e.g., maximum password age reached or account locked), the user may be unable to change the password.

Why this answer

The /etc/shadow file stores password aging information, including the date of the last password change and the expiration date. If the account's expiration date is set in the past, the system will allow login (if the account is not locked) but will prevent the user from changing their password because the account is considered expired. This matches the symptom where the user can authenticate but cannot update their password.

Exam trap

The trap here is that candidates often assume password change issues are caused by /etc/passwd or /etc/login.defs, but the actual control for password aging and expiration is in /etc/shadow, specifically the expiration date field.

How to eliminate wrong answers

Option B is wrong because /etc/group defines group memberships and has no direct effect on password change capability; a missing user entry would prevent group access but not password operations. Option C is wrong because PASS_MAX_DAYS set to 0 in /etc/login.defs means the password never expires (no maximum age), which would not prevent a password change; it would actually allow unlimited password age. Option D is wrong because an incorrect shell in /etc/passwd affects the user's login session (e.g., preventing shell access) but does not block the password change operation itself, which is handled by the shadow file and PAM.

5
Multi-Selecteasy

Which TWO commands can list all groups a user belongs to? (Choose exactly 2)

Select 2 answers
A.id -nG
B.cat /etc/group | grep user
C.usermod -g user
D.getent group user
E.groups
AnswersA, E

Option A is correct; id -nG prints the group names of the current user.

Why this answer

Option A is correct because `id -nG` displays the group names (`-n`) and all group IDs (`-G`) for the current user or a specified user. This command reads the user's group memberships from the system databases (e.g., `/etc/group` and `/etc/passwd`) and outputs the supplementary and primary group names, making it a reliable way to list all groups a user belongs to.

Exam trap

The trap here is that candidates often think `cat /etc/group | grep user` or `getent group user` will list all groups for a user, but these commands only search for a group named 'user' or lines containing the string, not the user's actual group memberships, which is a common misconception tested on the EX200 exam.

6
MCQhard

An administrator is migrating user accounts to a new system. They want to preserve the user's primary group name and GID. Which commands should be used in sequence?

A.useradd -u <UID> -g <group> <user>
B.useradd -g <group> <user>
C.groupadd --gid <GID> <group> && useradd -g <group> <user>
D.groupadd -g <GID> <group> then useradd -g <group> <user>
AnswerC

This creates the group with the specified GID first, then creates the user with that group.

Why this answer

Option D is correct: first create the group with the specific GID using groupadd -g, then create the user with that group using useradd -g. Option A will fail if the group doesn't exist. Option B uses -g for groupadd and -g for useradd, but the order is wrong.

Option C sets only UID, not group.

7
MCQmedium

A system administrator needs to change the primary group of an existing user to a group that already exists. Which command should be used?

A.groupmod -g existinggroup username
B.usermod -g existinggroup username
C.usermod -p existinggroup username
D.usermod -G existinggroup username
AnswerB

Option A is correct: -g changes the user's primary group to the specified group.

Why this answer

Option B is correct because the `usermod -g` command changes the primary group of an existing user to a specified group that already exists on the system. The `-g` option sets the initial login group (GID) for the user, which must be a valid group name or GID from `/etc/group`.

Exam trap

The trap here is confusing the `-g` (primary group) and `-G` (supplementary groups) options of `usermod`, leading candidates to pick option D when they need to change the primary group.

How to eliminate wrong answers

Option A is wrong because `groupmod -g` changes the GID of an existing group, not the primary group of a user. Option C is wrong because `usermod -p` is used to set or change the user's password (encrypted), not their group membership. Option D is wrong because `usermod -G` sets the supplementary (secondary) group list for the user, not the primary group.

8
Multi-Selecthard

Which THREE conditions must be met for a user to effectively use the 'sudo' command to execute commands with root privileges?

Select 3 answers
A.The target command must be executable by root
B.User must be in the wheel group
C.User must have a password set
D.User must be in the sudoers file
E.The sudoers file must be edited with visudo
AnswersB, D, E

RHEL's default sudoers grants privileges to %wheel.

Why this answer

Options A, C, and D are correct. The user must be listed in the sudoers file (A), the sudoers file must be edited with visudo to avoid syntax errors (C), and on RHEL, being in the wheel group is a common requirement (D). Option B (password) is not required if NOPASSWD is set.

Option E is not a condition for the user.

9
MCQmedium

A system administrator needs to ensure that a user named 'jdoe' can execute commands as root without being prompted for a password. Which configuration change should be made?

A.Add 'jdoe ALL=(ALL) NOPASSWD: ALL' to /etc/sudoers via visudo
B.Add jdoe to the wheel group and configure /etc/sudoers with '%wheel ALL=(ALL) ALL'
C.Set the UID of jdoe to 0
D.Add jdoe to the root group
AnswerA

This grants passwordless sudo access.

Why this answer

Option C is correct because adding 'jdoe ALL=(ALL) NOPASSWD: ALL' to /etc/sudoers via visudo allows passwordless sudo for all commands. Option A adds jdoe to the wheel group with password required. Option B does not grant sudo privileges.

Option D changes UID to 0, which is not recommended and can cause issues.

10
MCQmedium

A user named jdoe is receiving 'Permission denied' errors when trying to access a file owned by root with permissions 644. The user is a member of the root group. What is the most likely cause?

A.The directory containing the file lacks execute permission for the group or others.
B.The file's group owner is not root.
C.The file's read permission is not granted to the root group.
D.The user needs to be added to the root group again.
AnswerA

Option A is correct: even if file permissions allow read, the user must have execute permission on the directory to traverse it. The directory likely has no execute for group/others.

Why this answer

The file has permissions 644, meaning the owner (root) has read/write, and the group (root) and others have read-only access. Since jdoe is a member of the root group, the file's group read permission should allow access. However, to traverse a directory and access any file within it, the user needs execute (x) permission on that directory.

If the directory lacks execute for the group or others, jdoe will get 'Permission denied' even if the file permissions are correct.

Exam trap

The trap here is that candidates focus solely on file permissions (644) and overlook that directory execute permission is required for file access, leading them to incorrectly suspect group membership or file group ownership issues.

How to eliminate wrong answers

Option B is wrong because the file's group owner is root (as stated in the scenario), and the user jdoe is a member of the root group, so group ownership is correct. Option C is wrong because the file's permissions 644 grant read (4) to the group, so the root group does have read permission. Option D is wrong because the user is already a member of the root group; re-adding them would not resolve a directory permission issue.

11
MCQhard

A server has a requirement that all users in the 'finance' group must have a password aging policy that forces password change every 90 days. Which approach best achieves this for existing users?

A.Set PASS_MAX_DAYS 90 in /etc/login.defs
B.Edit /etc/shadow and change the fifth field for all users
C.Configure pam_pwquality.so to enforce password age
D.Write a script to run 'chage -M 90' for each user in the finance group
AnswerD

This directly sets the maximum password age for each existing user in the group.

Why this answer

Option D is correct because `chage -M 90` sets the maximum password age for a specific user, and by scripting it to apply to all members of the 'finance' group, you directly enforce the 90-day policy on existing users. This approach works regardless of the default settings in `/etc/login.defs`, which only affect new users, and avoids the manual and error-prone editing of `/etc/shadow`.

Exam trap

The trap here is that candidates often confuse `/etc/login.defs` as applying to all users (including existing ones), when in fact it only sets defaults for new user creation via `useradd`.

How to eliminate wrong answers

Option A is wrong because `/etc/login.defs` only sets default values for newly created users; it does not retroactively apply to existing users. Option B is wrong because manually editing the fifth field in `/etc/shadow` is fragile, error-prone, and not a supported or recommended administrative practice; the `chage` command is the proper tool for this task. Option C is wrong because `pam_pwquality.so` is a module for password quality/complexity checks (e.g., length, character classes), not for enforcing password aging policies like maximum days between changes.

12
MCQeasy

A user reports they cannot log in to a Linux system. Their account was recently created. The administrator checks /etc/passwd and sees the entry: jsmith:x:1001:1001::/home/jsmith:/sbin/nologin. What is the likely issue?

A.The user is locked due to expired password
B.The home directory does not exist
C.The user is not in any supplementary groups
D.The user's shell is set to /sbin/nologin which prevents login
AnswerD

/sbin/nologin shell disables login.

Why this answer

Option B is correct because the shell is set to /sbin/nologin, which prevents any login. Option A is plausible but not the direct cause. Option C would require checking other fields.

Option D is not relevant to login ability.

13
MCQhard

Refer to the exhibit. What effect does the value INACTIVE=-1 have on newly created user accounts?

A.The account expires immediately.
B.Passwords never expire.
C.Account is disabled if password expires but user does not log in within -1 days (immediately).
D.The password inactivity period is disabled.
AnswerD

Option C is correct; INACTIVE=-1 disables the inactivity period, so the account will not be disabled after password expiration.

Why this answer

The `INACTIVE=-1` setting in the `useradd -D` or `/etc/default/useradd` configuration disables the password inactivity period. This means that after a password expires, the account will not be locked due to inactivity, effectively turning off the inactivity timer. The value -1 is a special sentinel that indicates no inactivity period is enforced.

Exam trap

Red Hat often tests the distinction between password expiration (`PASS_MAX_DAYS`) and the inactivity period (`INACTIVE`), trapping candidates who confuse the two or misinterpret -1 as 'immediate' rather than 'disabled'.

How to eliminate wrong answers

Option A is wrong because `INACTIVE=-1` does not cause immediate account expiration; account expiration is controlled by the `EXPIRE` field or `-e` option, not the inactivity setting. Option B is wrong because password expiration is controlled by `PASS_MAX_DAYS` (e.g., in `/etc/login.defs`), not by the inactivity period; `INACTIVE` only affects what happens after a password expires. Option C is wrong because a negative value (-1) disables the inactivity check entirely; it does not mean 'immediately' — the account is not disabled at all due to inactivity when set to -1.

14
Multi-Selectmedium

Which TWO of the following are valid methods to set a user's password expiration date?

Select 2 answers
A.chage -M 90 username
B.useradd -e 2025-12-31 username
C.chage -E 2025-12-31 username
D.usermod -e 2025-12-31 username
E.passwd -e username
AnswersC, D

Sets the account expiration date.

Why this answer

Options A and C are correct. chage -E sets the account expiration date, and usermod -e also sets the account expiration date. passwd -e forces password change at next login, does not set expiration. chage -M sets maximum password age, not expiration date. useradd -e only works at user creation.

15
MCQmedium

A user jdoe, who is a member of the group staff, reports they cannot access the directory /shared. The administrator runs getfacl /shared and receives the output shown. Which of the following explains the issue?

A.The group staff does not have execute permission
B.An ACL entry denies all permissions for jdoe
C.The mask entry restricts group permissions
D.The directory is read-only for the owner
AnswerB

The user:jdoe:--- entry denies everything.

Why this answer

Option B is correct: the ACL has an explicit deny entry for jdoe (user:jdoe:---) that overrides the group permissions. Option A is incorrect because group staff has rwx. Option C is incorrect because the owner has rwx.

Option D is incorrect because the mask is rwx and does not limit group.

16
MCQhard

Your organization has a shared directory /data/projects with permissions 2770 owned by root:projectmanagers. The directory is used by a team of developers who are all members of the 'developers' group. However, you need to ensure that any file created inside /data/projects automatically belongs to the 'developers' group, not the user's primary group. Additionally, you need to ensure that developers can delete only their own files, not those of others. Your IT security policy also requires that all user passwords must expire every 90 days and that new users should have a warning period of 7 days before expiration. Given the following options, which one describes the correct set of actions to achieve all these requirements?

A.Set setgid bit on /data/projects (chmod g+s), set sticky bit using chmod +t, use chage -M 90 -W 7 for each user, and ensure useradd defaults in /etc/login.defs have PASS_MAX_DAYS 90 and PASS_WARN_AGE 7.
B.Modify the umask of all users to 002, use chage -M 90 for all users, and set the setgid bit.
C.Use ACLs to set default group permissions, enable password aging by editing /etc/shadow directly, and set the sticky bit on the directory.
D.Set the setgid bit, create a cron job to change group ownership, and enforce password policy through pam_tally2.
AnswerA

All requirements are addressed: setgid for group inheritance, sticky bit for deletion control, and chage/login.defs for password aging.

Why this answer

Option A is correct. Setting the setgid bit (chmod g+s) on /data/projects ensures new files inherit the directory's group (developers). Setting the sticky bit (chmod +t) prevents users from deleting files they don't own.

For password aging, using chage -M 90 -W 7 for each user sets the maximum password age and warning period. Additionally, setting defaults in /etc/login.defs (PASS_MAX_DAYS 90 and PASS_WARN_AGE 7) ensures new users automatically get these settings. Option B omits setgid, uses direct shadow editing which is error-prone, and does not cover password aging defaults.

Option C uses a cron job unnecessarily and pam_tally2 for account locking, not aging. Option D uses umask changes (affects permissions, not group inheritance) and only sets max days, not warning; also does not address sticky bit.

17
MCQhard

An administrator accidentally deleted the group 'sales' which is the primary group of several users. What is the immediate effect on those users?

A.Their files will show a missing GID in directory listings
B.The system will recreate the group automatically
C.Their primary group will be changed to their UID
D.They will be unable to log in
AnswerA

The group is gone, so the numeric GID appears instead of a group name.

Why this answer

Option A is correct: after deleting a group, files owned by that group show the numeric GID, and ls -l will display the GID instead of group name. Users can still log in and their primary group remains set to the old GID in /etc/passwd. Option B is false.

Option C is false because the primary group GID is not automatically changed. Option D is false.

18
MCQmedium

Given the exhibit, which statement is true about the file /project/report.txt?

A.Any user can read report.txt
B.Alice can write to report.txt
C.The file's group is wheel
D.Alice cannot write to report.txt because she is not the owner
AnswerB

Alice is a member of the staff group, which has read and write permissions on the file.

Why this answer

The exhibit shows that the file /project/report.txt has permissions -rw-rw-r--, owner alice, and group project. Alice is the owner, so she has the owner permissions (rw-), which include write access. Therefore, option B is correct because Alice can write to the file.

Exam trap

Red Hat often tests the misconception that only the owner can write to a file, but the correct interpretation depends on the permission bits; here, the owner has write permission, so Alice can write.

How to eliminate wrong answers

Option A is wrong because the file's 'other' permissions are r--, meaning users other than the owner and group members can only read, not write. Option C is wrong because the file's group is 'project', not 'wheel'. Option D is wrong because Alice is the owner of the file, and the owner permissions grant her write access, so she can write to the file.

19
Multi-Selecteasy

Which TWO commands can be used to add a user to an existing supplementary group without removing them from other groups?

Select 2 answers
A.groupmod -a user group
B.usermod -a -G group user
C.usermod -g group user
D.usermod -G group user
E.gpasswd -a user group
AnswersB, E

The -a option appends to existing supplementary groups.

Why this answer

Options A and B are correct. usermod -a -G group user appends the group to existing supplementary groups. gpasswd -a user group adds the user to the group. Option C replaces all supplementary groups. Option D is not a valid command.

Option E changes the primary group.

20
MCQhard

Refer to the exhibit. A web server runs as user 'apache'. The directory /var/www/html is owned by root:root with permissions 755. The administrator wants to allow the user 'webuser' to upload files to /var/www/html via SFTP. Which step is necessary to achieve this?

A.Change webuser's shell to /bin/bash to allow SFTP login
B.Change group ownership of /var/www/html to a group that includes webuser and add group write permission
C.Change the SELinux context of /var/www/html to httpd_sys_rw_content_t
D.Set an ACL on /var/www/html to grant webuser write access
AnswerB

This gives webuser write access via group membership.

Why this answer

Option B is correct because the directory /var/www/html is owned by root:root with permissions 755, meaning only root can write. To allow webuser to upload files via SFTP, the directory needs group write permission. Changing the group ownership to a group that includes webuser and adding group write permission (e.g., chgrp webgroup /var/www/html && chmod g+w /var/www/html) grants the necessary write access without altering ownership or security contexts.

Exam trap

The trap here is that candidates may overthink and choose ACLs (Option D) as a 'modern' solution, but the question tests the fundamental Linux permission model where group write permission is the simplest and most direct method, especially when the directory is already group-owned by root and needs a new group.

How to eliminate wrong answers

Option A is wrong because changing webuser's shell to /bin/bash is not required for SFTP; SFTP uses the SSH subsystem and works with any valid shell, but the default shell (often /sbin/nologin) can still allow SFTP if configured in sshd_config (e.g., Subsystem sftp internal-sftp). Option C is wrong because the SELinux context httpd_sys_rw_content_t is used for read-write access by the Apache HTTP server, not for SFTP uploads by a non-Apache user; the correct context for SFTP uploads would be public_content_rw_t or similar, but the question does not mention SELinux enforcement. Option D is wrong because setting an ACL on /var/www/html to grant webuser write access would work technically, but the question asks for a step 'necessary' to achieve the goal; the simpler and more standard approach is to use group ownership and permissions, and ACLs are not required unless the directory must remain owned by root:root with 755 permissions for other users.

21
MCQhard

A Red Hat Enterprise Linux 9 system enforces a security policy that user accounts must be disabled after 90 days of inactivity. The system administrator has configured /etc/shadow accordingly with the proper fields. User 'bob' has been on leave for 95 days. When bob returns and tries to log in, he is unable to do so. The administrator checks the shadow file and sees that bob's password expiration date has passed and the account is locked due to inactivity (the inactivity period has exceeded). The administrator wants to immediately reactivate bob's account without changing the password, and also wants to set the account to expire in 30 days from now (relative to the current date). Which set of commands should the administrator run to achieve this goal?

A.chage -E $(date -d +30days +%Y-%m-%d) bob; chage -I -1 bob
B.usermod -e 2024-12-31 bob; passwd -S bob
C.chage -d 0 bob; usermod -L bob
D.usermod -e $(date -d +30days +%Y-%m-%d) bob; passwd -u bob
AnswerA

Correct: chage -E sets new expiration date; chage -I -1 disables the inactivity period lock, reactivating the account.

Why this answer

Option B is correct. The chage -E command sets the account expiration date, and the -I option sets the inactivity period; setting -I to -1 disables the inactivity lock. This reactivates the account and sets a new expiration date 30 days from now.

Option A is incorrect because usermod -e cannot accept a relative date without shell expansion, and passwd -u only unlocks the password, not the account inactivity lock. Option C is incorrect because it uses a hardcoded date and passwd -S only shows status; it does not reactivate. Option D is incorrect; chage -d 0 forces immediate password change and usermod -L locks the account, which is the opposite of what is needed.

22
MCQeasy

You are a junior administrator at a company that uses Red Hat Enterprise Linux 8. The HR department has a shared directory /hr/data that should be accessible to all members of the 'hr' group. The directory is currently owned by root:root with permissions 755. You need to configure the system so that new files created in /hr/data are automatically owned by the group 'hr' and the group has read-write permissions. Additionally, you need to ensure that user 'jane' (who is a member of 'hr') can create files in the directory. However, after adding 'jane' to the 'hr' group, she still cannot create files, receiving 'Permission denied'. Which of the following is the best course of action to resolve this issue?

A.Change the directory permissions to 2775 and set the SGID bit using chmod 2775 /hr/data
B.Change the directory ownership to jane:hr
C.Use sudo to grant 'jane' full access to the directory
D.Set the sticky bit on the directory using chmod +t /hr/data
AnswerA

Correct: 2775 sets SGID and group write, ensuring new files inherit group ownership and group can write.

Why this answer

Option A is correct. The directory needs to have the SGID bit set (chmod g+s) so that new files inherit the group ownership, and group write permission must be granted (chmod g+w). Setting permissions to 2775 sets both the SGID bit and group write permissions.

Option B is incorrect because granting sudo access is unnecessary and a security risk. Option C is incorrect because changing ownership to jane:hr would not enforce group ownership for new files and would break other users' access. Option D is incorrect; the sticky bit (chmod +t) is used to prevent users from deleting others' files, not to manage group permissions or inheritance.

23
MCQhard

You are managing a Red Hat Enterprise Linux 8 server that hosts backup scripts. A user named 'backup' (UID 1005) is a member of the 'backup' group. The directory /var/backups is owned by root:backup with permissions 775. The 'backup' user needs to create files in this directory. However, when the user attempts to create a file, they receive 'Permission denied'. You verify that 'backup' is indeed listed in the backup group in /etc/group. The user's current shell was started after their last login. Which of the following is the most likely cause and solution?

A.The directory lacks the setgid bit; set it with 'chmod g+s /var/backups'.
B.The user needs to log out and log back in to refresh their group membership.
C.The user's umask is too restrictive, preventing file creation. Change the umask to 002.
D.The user should use 'newgrp backup' to switch to the backup group temporarily.
AnswerB

The user was added to the group after their current session started; the new group is not active until a new login occurs.

Why this answer

The user 'backup' is already a member of the 'backup' group in /etc/group, but the current shell session was started before the group membership was added or refreshed. On Linux, group membership is determined at login time by the PAM modules; simply adding a user to a group does not affect already running processes. The user must log out and log back in (or start a new login shell) to acquire the new group membership via the initgroups() system call, which populates the process's supplementary group list.

Exam trap

The trap here is that candidates often think the setgid bit or umask is the issue, but the real problem is that group membership changes do not apply to existing login sessions—a fundamental Linux behavior that Red Hat EX200 frequently tests.

How to eliminate wrong answers

Option A is wrong because the setgid bit (chmod g+s) would cause new files to inherit the group of the directory, but the user already has group write permission via the 775 permissions; the issue is that the user's process does not have the 'backup' group in its supplementary groups, not that the directory lacks setgid. Option C is wrong because umask only affects the default permissions of newly created files, not the ability to create files at all; even with a restrictive umask (e.g., 077), the user could still create files if they had write permission, but they would be created with no group/other permissions. Option D is wrong because 'newgrp backup' would work to switch the user's effective group to 'backup' temporarily, but it is not the most likely cause or the best solution; the question asks for the most likely cause and solution, and the standard fix is to log out and log back in to refresh group membership for all future sessions.

24
MCQhard

A system administrator needs to ensure that a user named 'bob' can access a shared directory '/data' owned by group 'developers'. The directory has permissions 2775 and is owned by root:developers. Bob is a member of the 'developers' group. However, when Bob tries to create a file in '/data', it fails with 'Permission denied'. What is the most likely cause?

A.The directory has incorrect SELinux context
B.Bob's umask is set to 0077
C.The setgid bit is not set
D.Bob's primary group is not developers
AnswerA

SELinux contexts can prevent access even when standard permissions allow it. The default context for /data might be different, causing denial.

Why this answer

The directory '/data' has permissions 2775, which grants read, write, and execute to the group 'developers'. Bob is a member of 'developers', so standard Unix permissions should allow him to create files. However, the failure with 'Permission denied' despite correct group membership and permissions strongly indicates that SELinux is enforcing a policy that denies Bob write access.

The most likely cause is that the directory lacks the correct SELinux context (e.g., `default_t` instead of a type like `public_content_rw_t` or a context that allows write operations).

Exam trap

Red Hat often tests the misconception that group membership alone guarantees access, ignoring that SELinux can block operations even when Unix permissions are correct; the trap here is that candidates focus on umask or primary group instead of recognizing SELinux as the likely cause when permissions and group membership appear correct.

How to eliminate wrong answers

Option B is wrong because umask affects the default permissions of newly created files, not the ability to create them; a umask of 0077 would not cause a 'Permission denied' error when creating a file if the directory permissions allow write access. Option C is wrong because the setgid bit (2775) is already set (the '2' in the permissions), so it is not missing; the setgid bit ensures new files inherit the group, but its absence would not cause a 'Permission denied' error. Option D is wrong because Bob's primary group does not need to be 'developers'; as a member of the 'developers' group, he has group-level access to the directory regardless of his primary group.

25
MCQhard

Alice tries to run 'sudo less /var/log/messages' and gets 'Sorry, user alice is not allowed to execute /usr/bin/less /var/log/messages as root on this host.' Why?

A.The command path must exactly match, including arguments
B.The secure_path does not include /usr/bin
C.The sudoers allows only specific commands with specific arguments
D.The /var/log/messages file does not exist
AnswerC

The entry '/usr/bin/less /var/log/secure' restricts less to that file only.

Why this answer

Option B is correct: the sudoers entry allows only specific commands with specific arguments. The entry '/usr/bin/less /var/log/secure' allows less only with that exact argument. Option A is about path matching but the path is fine.

Option C is not the issue. Option D is incorrect because secure_path is not relevant.

26
MCQmedium

An administrator wants to ensure that any new user accounts created on the system have a default primary group matching the username. What change is needed?

A.Set GROUP to same name in /etc/default/useradd
B.Set USERGROUPS_ENAB to no; then create user with -g
C.Set USERGROUPS_ENAB to yes in /etc/login.defs
D.Set CREATE_HOME to yes in /etc/login.defs
AnswerC

Option A is correct: when USERGROUPS_ENAB=yes, useradd creates a group with the same name as the user and sets it as the primary group.

Why this answer

Option C is correct because setting USERGROUPS_ENAB to yes in /etc/login.defs instructs the useradd command to automatically create a private group with the same name as the new user and assign it as the user's primary group. This is the default behavior in Red Hat Enterprise Linux and ensures that each new user has a matching primary group without manual intervention.

Exam trap

The trap here is that candidates often confuse the GROUP setting in /etc/default/useradd (which sets a fixed default group) with the USERGROUPS_ENAB mechanism that dynamically creates a matching group, leading them to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because the GROUP setting in /etc/default/useradd specifies the default primary group for new users (e.g., GROUP=100 for users group), not a group matching the username. Option B is wrong because setting USERGROUPS_ENAB to no disables the automatic creation of a private group, and using -g manually would require the group to already exist, not create it automatically. Option D is wrong because CREATE_HOME controls whether a home directory is created for new users, not the primary group assignment.

27
Multi-Selecteasy

Which TWO commands can be used to create a new user account in Red Hat Enterprise Linux 8?

Select 2 answers
A.adduser
B.groupadd
C.usermod
D.passwd
E.useradd
AnswersA, E

adduser is a symbolic link to useradd on RHEL and also creates users.

Why this answer

Both `adduser` and `useradd` are commands that create a new user account in Red Hat Enterprise Linux 8. `adduser` is a symbolic link to `useradd` in RHEL 8, so they perform the same function. The `useradd` command creates a new user with default settings from `/etc/default/useradd` and `/etc/login.defs`, while `adduser` behaves identically.

Exam trap

The trap here is that candidates may think `adduser` is a separate, interactive command (as in Debian-based systems), but in RHEL 8 it is identical to `useradd`, and `passwd` or `groupadd` are often mistakenly chosen for user creation.

28
MCQeasy

A helpdesk ticket states that user 'bob' cannot write to his own home directory. The directory /home/bob has permissions drwxr-xr-x and is owned by root:root. What command will fix this?

A.setfacl -m u:bob:rwx /home/bob
B.usermod -d /home/bob bob
C.chmod 755 /home/bob
D.chown bob:bob /home/bob
AnswerD

Changes owner and group to bob, giving him write access.

Why this answer

Option A is correct: changing ownership to bob:bob gives him full control. Option B changes permissions but does not address ownership. Option C changes the home directory but not ownership.

Option D uses ACLs, which is not the most straightforward fix.

29
MCQmedium

A company policy requires that when a user is deleted, all files owned by that user in /home should be reassigned to a 'guest' account. Which command accomplishes this?

A.usermod -l guest olduser
B.find /home -user olduser -exec chown guest {} +
C.userdel -r olduser
D.rsync -a /home/olduser/ /home/guest/
AnswerB

This finds all files owned by olduser under /home and changes ownership to guest.

Why this answer

Option B uses `find` to locate all files owned by `olduser` under `/home` and then executes `chown guest` on them, which reassigns ownership to the `guest` account. This directly satisfies the policy requirement without affecting the user account itself or copying files.

Exam trap

Red Hat often tests the distinction between modifying user attributes (usermod), deleting users (userdel), copying files (rsync), and directly reassigning file ownership (find + chown), expecting candidates to recognize that only the latter changes ownership without altering or removing the files.

How to eliminate wrong answers

Option A is wrong because `usermod -l` changes the login name of an existing user, not ownership of files; it would rename `olduser` to `guest`, which does not reassign ownership to a separate `guest` account and may conflict if `guest` already exists. Option C is wrong because `userdel -r` removes the user and their home directory, which deletes files rather than reassigning ownership. Option D is wrong because `rsync -a` copies files from one directory to another, leaving the original files still owned by `olduser` and not reassigning ownership of the originals.

30
Multi-Selectmedium

Which TWO commands can be used to add a user to a secondary group without removing existing supplementary group memberships? (Choose exactly 2)

Select 2 answers
A.usermod -aG group user
B.usermod -AG group user
C.adduser user group
D.gpasswd -a user group
E.groupadd -a user group
AnswersA, D

Option A is correct; -aG appends the user to the supplementary groups list without affecting others.

Why this answer

Option A is correct because `usermod -aG` appends the user to the specified supplementary group(s) without affecting any existing supplementary group memberships. The `-a` flag (append) must be used with `-G` to avoid overwriting the current list of supplementary groups. This is the standard method in Red Hat Enterprise Linux for adding a user to an additional group while preserving all other group memberships.

Exam trap

The trap here is that candidates often confuse `usermod -G` (which replaces all supplementary groups) with `usermod -aG` (which appends), and may also mistakenly think `groupadd` or `adduser` can modify group memberships, when in fact only `usermod -aG` and `gpasswd -a` are the correct tools for this task.

31
Multi-Selectmedium

A system administrator needs to ensure that the user 'jdoe' can read files in the shared directory /project/data which is owned by group 'project'. The user 'jdoe' is currently not a member of the 'project' group. Which TWO steps should the administrator take to add 'jdoe' to the 'project' group? (Choose two.)

Select 2 answers
A.gpasswd -a jdoe project
B.groupmod -A jdoe project
C.vigr to add jdoe to project group
D.useradd -G project jdoe
E.usermod -aG project jdoe
AnswersA, E

Correct: adds user to the specified group.

Why this answer

The correct options are A and B. usermod -aG project jdoe appends the user to the supplementary group without removing existing group memberships. gpasswd -a jdoe project also adds the user to the group. Option C (useradd -G) is incorrect because useradd is for creating new users, not modifying existing ones; using it would require the -M option and still is not appropriate. Option D (groupmod -A) is invalid syntax; groupmod does not have an -A option.

Option E (vigr) is for manually editing group files, but it is not a direct command to add a user to a group; it would require manual file editing which is error-prone and not recommended.

32
MCQeasy

A new employee named asmith needs a user account with a home directory and a specific UID of 1500. Which command accomplishes this?

A.useradd -m -u 1500 asmith
B.adduser -uid 1500 asmith
C.useradd -h /home/asmith -u 1500 asmith
D.useradd -d /home/asmith -U 1500 asmith
AnswerA

Option A is correct: -m creates the home directory, -u sets the UID.

Why this answer

Option A is correct because `useradd -m -u 1500 asmith` creates the user asmith with a home directory (via `-m`) and assigns a specific UID of 1500 (via `-u`). The `-m` flag ensures the home directory is created if it does not exist, which is required by the question.

Exam trap

The trap here is confusing `-u` (UID) with `-U` (create user group) and mistaking `-h` for home directory instead of the correct `-d` flag.

How to eliminate wrong answers

Option B is wrong because `adduser` is a Perl script (not a standard command on RHEL/CentOS) and `-uid` is not a valid flag; the correct flag for UID with `adduser` would be `--uid`, but the question expects the standard `useradd` command. Option C is wrong because `-h` is not a valid flag for `useradd`; the flag to specify a home directory is `-d`, and `-h` is used for help. Option D is wrong because `-U` creates a user group with the same name as the user (not a UID), and the UID should be specified with `-u` (lowercase), not `-U`.

33
MCQeasy

A company needs to create a user account for a temporary contractor who will work for exactly 90 days. The account must be automatically disabled after 90 days. Which command should the administrator use?

A.useradd -f 90 contractor
B.useradd -e $(date -d '+90 days' +%Y-%m-%d) contractor
C.useradd -e 90 contractor
D.useradd -f 90 -e 0 contractor
AnswerB

Option A correctly uses the -e option to set the account expiration date to 90 days from now using the date command.

Why this answer

Option B is correct because the `-e` (expiration date) option sets the date on which the user account will be disabled. Using `$(date -d '+90 days' +%Y-%m-%d)` dynamically calculates the exact date 90 days from today in YYYY-MM-DD format, which meets the requirement for automatic disable after exactly 90 days.

Exam trap

The trap here is confusing the `-e` (account expiration date) option with a number of days, when it actually requires a specific date in YYYY-MM-DD format, and confusing `-f` (inactive days after password expiry) with account expiration.

How to eliminate wrong answers

Option A is wrong because the `-f` option sets the number of days after a password expires until the account is permanently disabled (inactive), not the account expiration date itself; it does not disable the account after 90 days from creation. Option C is wrong because the `-e` option expects a date in YYYY-MM-DD format, not a number of days; passing `90` will be interpreted as an invalid date and the account will not be set to expire. Option D is wrong because `-f 90` sets the inactivity period to 90 days after password expiry, and `-e 0` sets the account expiration date to January 1, 1970 (epoch), which disables the account immediately, not after 90 days.

34
MCQhard

After being added to a new supplementary group with usermod -aG, a user logs out and back in but still cannot access files owned by that group. Which command should the user run to verify current effective group membership?

A.newgrp -c 'groups'
B.id
C.groups $(whoami)
D.usermod -g
AnswerB

Option A is correct: the id command displays the current real and effective group IDs, which reflect the session's actual groups.

Why this answer

The `id` command without arguments displays the real and effective user and group IDs, including all supplementary group memberships. After a user is added to a new group with `usermod -aG`, the change takes effect only in new login sessions; running `id` confirms whether the current shell has actually inherited the new group. Option B is correct because it directly shows the effective group membership for the current process.

Exam trap

The trap here is that candidates assume `groups` or `groups $(whoami)` always shows the effective groups of the current shell, but those commands can display cached or database-level information rather than the kernel-level group list that `id` reliably reports.

How to eliminate wrong answers

Option A is wrong because `newgrp -c 'groups'` is not a valid syntax; `newgrp` is used to start a new shell with a different primary group, not to list groups, and the `-c` option is not supported in that way. Option C is wrong because `groups $(whoami)` runs the `groups` command for the username returned by `whoami`, which may reflect the user's group membership from the user database but does not necessarily show the effective groups of the current shell session if the session was started before the group change. Option D is wrong because `usermod -g` is used to change a user's primary group, not to verify current group membership; it requires root privileges and modifies the user database, not the running session.

35
Multi-Selectmedium

Which TWO commands can be used to add the user 'alice' to the supplementary group 'developers'?

Select 2 answers
A.gpasswd -a alice developers
B.useradd -g developers alice
C.usermod -aG developers alice
D.groupmod -a alice developers
E.usermod -g developers alice
AnswersA, C

-a adds user to group.

Why this answer

Option A is correct because `gpasswd -a alice developers` adds the user 'alice' to the supplementary group 'developers' by appending her to the group's member list in /etc/group. Option C is correct because `usermod -aG developers alice` appends 'alice' to the supplementary group 'developers' without removing her from other supplementary groups, which is the intended behavior for adding a user to an additional group.

Exam trap

The trap here is that candidates confuse the `-g` (primary group) and `-G` (supplementary groups) options of `usermod`, and forget that without the `-a` flag, `usermod -G` replaces all supplementary group memberships instead of appending.

36
MCQeasy

During an audit, it is discovered that a critical file /etc/shadow has permissions 644 and is owned by root:shadow. The administrator needs to secure it. What is the correct action?

A.chown root:root /etc/shadow && chmod 600
B.chmod 600 /etc/shadow
C.chmod 640 /etc/shadow
D.chmod 000 /etc/shadow
AnswerB

Restricts access to root only, which is the standard requirement.

Why this answer

Option A is correct: permissions 600 (owner read/write only) is the standard. Option B would also work but changes group to root unnecessarily. Option C (000) is too restrictive and may break PAM.

Option D (640) allows shadow group read access, which is less secure.

37
MCQhard

You are managing a Red Hat Enterprise Linux 8 server that hosts a shared development environment. The server has a directory /projects owned by root:developers with permissions 2770. There are three users: dev1, dev2, and dev3, all members of the 'developers' group. Developers need to create and edit files in /projects, and any new file should be writable by all members of the developers group. However, you notice that when dev1 creates a file, the permissions are 644 instead of 664, and the group is set to dev1's primary group (dev1) instead of 'developers'. After investigating, you find that the setgid bit is set on /projects, but the directory's ACLs are not configured. What is the most efficient way to ensure that new files in /projects inherit the group 'developers' and have group-writable permissions by default?

A.Set a default ACL with setfacl -d -m g:developers:rwx /projects
B.Reapply the setgid bit using chmod g+s /projects
C.Change dev1's umask to 0002 in /etc/bashrc
D.Set the sticky bit on /projects with chmod o+t /projects
AnswerA

Default ACLs ensure that new files inherit the specified permissions, overriding umask for group.

Why this answer

Option A is correct because setting a default ACL on the /projects directory with `setfacl -d -m g:developers:rwx /projects` ensures that any new file or subdirectory created inside /projects automatically inherits the 'developers' group with rwx permissions. This overrides the creating user's umask and primary group, guaranteeing group-writable files (664) and the correct group ownership, which the setgid bit alone cannot achieve for group permissions when the user's umask is restrictive.

Exam trap

The trap here is that candidates assume the setgid bit alone is sufficient to enforce group-writable permissions, but they overlook that the umask of the creating user still restricts the file's group permissions, making default ACLs necessary to guarantee group-write access.

How to eliminate wrong answers

Option B is wrong because the setgid bit (chmod g+s) is already set on /projects and only ensures new files inherit the directory's group ('developers'), but it does not override the user's umask to make files group-writable; files created with umask 022 will still have 644 permissions. Option C is wrong because changing dev1's umask to 0002 in /etc/bashrc would affect all processes for dev1 system-wide, not just files in /projects, and it does not address the group ownership issue (files would still be owned by dev1's primary group, not 'developers'). Option D is wrong because the sticky bit (chmod o+t) only prevents users from deleting files they do not own in a shared directory; it has no effect on file permissions or group inheritance.

38
Matchingmedium

Match each firewall zone to its default trust level.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Low trust; only allow selected incoming connections

Moderate trust; for private networks

High trust; accept all connections

For publicly accessible systems isolated from internal network

Why these pairings

Firewalld zones define trust levels for network interfaces.

39
MCQmedium

A user was recently added to the 'testgrp' group using `usermod -aG testgrp user1`. However, when they try to access a file owned by testgrp with permissions 660, they get permission denied. What is the most likely reason?

A.The user's primary group is not testgrp.
B.The user did not log out and log back in.
C.The file's group owner is not testgrp.
D.The file's ACL overrides group permissions.
AnswerB

The new group membership is not active until the user re-authenticates.

Why this answer

When a user is added to a supplementary group with `usermod -aG`, the group membership change does not take effect in the user's current login session. The user must log out and log back in (or start a new login shell) for the new group to be recognized by the kernel's process credential system. Without this, the user's process lacks the group ID in its supplementary group list, so access to a file with group permissions (660) is denied.

Exam trap

The trap here is that candidates assume `usermod -aG` immediately grants access, overlooking that group membership changes require a new login session to take effect in the process's credential cache.

How to eliminate wrong answers

Option A is wrong because the primary group is irrelevant for accessing a file owned by a supplementary group; the file's group permissions are checked against all groups the user belongs to, including supplementary groups. Option C is wrong because the question states the file is owned by testgrp, so the group owner is correct; if it were not, the user would not get group permissions but could still get 'other' permissions (which are 0 in 660). Option D is wrong because there is no mention of ACLs in the scenario, and standard POSIX permissions (660) are in effect; ACLs would only override if explicitly set, and the question does not indicate that.

40
Drag & Dropmedium

Arrange the steps to configure a network bond (mode 1) using two interfaces (eth0, eth1) in RHEL.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Network bonding requires creating a bond interface and configuring slaves, then restarting network.

41
MCQeasy

An administrator wants to modify the default expiration settings for new user passwords. Which file should be modified?

A./etc/shadow
B./etc/pam.d/passwd
C./etc/security/pwquality.conf
D./etc/login.defs
AnswerD

Contains default settings for password aging and other account parameters.

Why this answer

Option B is correct: /etc/login.defs contains the default password aging parameters like PASS_MAX_DAYS and PASS_WARN_AGE. Option A (/etc/shadow) stores per-user values, not defaults. Option C is for password quality.

Option D is for PAM configuration.

42
MCQhard

Refer to the exhibit. A user bob exists with UID 1002 and GID 1002. The /etc/group shows a group bob with GID 1002 but no members listed. Bob tries to access a file owned by group 'bob' with permissions 640 and owner root. What will happen?

A.Bob will not be able to read the file because the group bob has no members.
B.Bob will be able to read the file because he is a member of the group bob.
C.Bob will be able to read the file if his primary group is bob, which it is.
D.Bob will be able to read the file only if he is explicitly listed in /etc/group.
AnswerC

Option C is correct; Bob's primary group is bob (GID 1002) as defined in /etc/passwd, so he is considered a member of the group bob for file access purposes.

43
Multi-Selecthard

Which THREE statements about /etc/shadow are true? (Choose exactly 3)

Select 3 answers
A.Contains account expiration dates.
B.Contains the date of last password change.
C.Contains encrypted password hashes.
D.Is readable by all users.
E.Contains user ID numbers.
AnswersA, B, C

Option C is correct; /etc/shadow includes the account expiration date field.

Why this answer

Option A is correct because the /etc/shadow file stores account expiration dates in the ninth field (field 9), which is the number of days since the epoch until the account is disabled. This field is used by the system to enforce account aging policies, such as automatically locking accounts after a set period of inactivity.

Exam trap

Red Hat often tests the distinction between /etc/passwd and /etc/shadow, trapping candidates who think UIDs or group membership are in shadow, or that shadow is world-readable like passwd.

44
MCQeasy

A system administrator needs to ensure that the user 'jdoe' cannot log in via SSH but can still use other services like FTP. Which approach should the administrator take?

A.Lock the user account with 'usermod -L jdoe'
B.Delete the user's password with 'passwd -d jdoe'
C.Remove the user's home directory
D.Change the user's shell to /sbin/nologin
AnswerD

/sbin/nologin prevents interactive login but allows non-login services like FTP.

Why this answer

Option D is correct because changing the user's shell to /sbin/nologin prevents interactive login via SSH (which requires a valid shell listed in /etc/shells) while still allowing non-interactive services like FTP, which typically do not check the user's shell. This approach specifically blocks SSH access without locking the account or affecting other authentication methods.

Exam trap

The trap here is that candidates often confuse account locking (usermod -L) with shell restriction, assuming that locking the account only affects SSH, when in fact it blocks all password-based authentication, including FTP and other services.

How to eliminate wrong answers

Option A is wrong because 'usermod -L' locks the account by placing an exclamation mark in the password hash field, which prevents all password-based authentication, including FTP, thus blocking the user from using other services. Option B is wrong because 'passwd -d' deletes the password, leaving the account with an empty password, which may allow login without a password (depending on PAM configuration) and does not specifically block SSH while allowing FTP. Option C is wrong because removing the home directory does not prevent SSH login; the user could still authenticate and log in, though they would have no home directory, potentially causing errors but not blocking access.

45
MCQmedium

A user 'carol' is in group 'staff'. The directory /shared has permissions drwxrwx--- and group staff. Carol can create files but cannot delete other users' files. What is missing?

A.Change carol's umask
B.Set the setgid bit with 'chmod g+s /shared'
C.Change directory permissions to 770
D.Set the sticky bit with 'chmod +t /shared'
AnswerD

Sticky bit restricts deletion to file owners and root.

Why this answer

Option A is correct: setting the sticky bit (+t) on the directory prevents users from deleting files they do not own. Option B (setgid) affects group inheritance, not deletion. Option C is not about directory.

Option D is already not world-writable.

46
MCQeasy

A server has been compromised, and the administrator suspects an unauthorized user account may have been created. Which file should be examined to list all local user accounts?

A./etc/shadow
B./etc/passwd
C./etc/shells
D./etc/login.defs
AnswerB

Option A is correct: /etc/passwd contains one line per user account, listing all local users.

Why this answer

The /etc/passwd file is the primary local user account database on Linux systems, listing all user accounts with fields such as username, UID, GID, GECOS, home directory, and login shell. Examining this file reveals every local user account, including any unauthorized ones that may have been created, because each account must have an entry here to be recognized by the system.

Exam trap

Red Hat often tests the misconception that /etc/shadow contains the list of user accounts, but it only stores password hashes and aging data; the actual account list is always in /etc/passwd.

How to eliminate wrong answers

Option A is wrong because /etc/shadow stores encrypted password hashes and password aging information, not the list of user accounts; it is a companion file to /etc/passwd but does not contain usernames by itself. Option C is wrong because /etc/shells lists valid login shells (e.g., /bin/bash, /bin/sh) and is used by chsh and FTP daemons to validate shell choices, not to enumerate user accounts. Option D is wrong because /etc/login.defs defines configuration defaults for user account creation (e.g., UID ranges, password aging parameters) but does not contain the actual list of user accounts.

47
MCQhard

An administrator used the command useradd -D -f 10 to change the default inactivity period. What effect does this have on future user accounts?

A.The default group for new users will be changed to GID 10.
B.New user accounts will have a maximum password age of 10 days.
C.New user accounts will be disabled after 10 days of inactivity if the password has expired.
D.New user accounts will have a password expiration of 10 days.
AnswerC

Option B is correct; -f sets the number of days after password expiration until the account is disabled. A value of 10 means 10 days of inactivity after password expiry.

Why this answer

The `useradd -D -f 10` command modifies the default value for the `INACTIVE` field in `/etc/default/useradd`. This field sets the number of days after a password expires that the account will be disabled if the password is not changed. Option C correctly describes this behavior: new user accounts will be disabled after 10 days of inactivity following password expiration.

Exam trap

The trap here is confusing the `-f` (inactivity period after password expiration) with password aging (`-M` or `PASS_MAX_DAYS`), leading candidates to incorrectly select options B or D.

How to eliminate wrong answers

Option A is wrong because `-f` sets the inactivity period, not the default group; the default group is set with `-g` or `-G`. Option B is wrong because the maximum password age is controlled by the `PASS_MAX_DAYS` parameter in `/etc/login.defs`, not by the `-f` flag. Option D is wrong because the `-f` flag sets the inactivity period after password expiration, not the password expiration itself; password expiration is set with `-e` or via `chage -M`.

48
MCQeasy

An administrator wants to add the user 'jane' to the supplementary groups 'wheel' and 'docker' without removing her from other groups. Which command should be used?

A.groupmems -a jane -g wheel,docker
B.usermod -aG wheel,docker jane
C.usermod -a -G wheel,docker jane
D.usermod -G wheel,docker jane
AnswerB

The -aG option appends the specified groups to the user's existing supplementary groups.

Why this answer

Option B is correct because the `usermod -aG` command appends the user 'jane' to the supplementary groups 'wheel' and 'docker' without removing her from any existing supplementary groups. The `-a` (append) flag must be used with `-G` to avoid overwriting the current group membership list, which is the default behavior of `-G` alone.

Exam trap

The trap here is that candidates often forget that `usermod -G` without `-a` overwrites all supplementary groups, leading them to choose option D, which would remove the user from any groups not listed, such as 'users' or other custom groups.

How to eliminate wrong answers

Option A is wrong because `groupmems` is used to manage members of a single group (e.g., add/remove users from one group at a time) and does not support specifying multiple groups in a comma-separated list; it would fail or behave unexpectedly. Option C is wrong because `-a -G` is syntactically valid but functionally identical to `-aG`; however, the option order `-a -G` is non-standard and may cause parsing issues on some systems, making it less reliable than the combined `-aG` form. Option D is wrong because `usermod -G wheel,docker jane` without the `-a` flag will replace all supplementary groups for 'jane' with only 'wheel' and 'docker', removing her from any other groups she belongs to, which violates the requirement to not remove her from other groups.

Ready to test yourself?

Try a timed practice session using only Manage users and groups questions.