That is what confuses me, I show that the default users group is
"ipausers", however when I added an account which I just tested it added to
admins group.  Anything else that could be making it add it to the "admin"

[root@ipa01 ~]# ipa config-show
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/bash
*  Default users group: ipausers*
  Default e-mail domain:
  Search time limit: 2
  Search size limit: -1
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=M451.TECH
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order:
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC

[root@ipa01 ~]# ipa user-add testuser-devin
First name: Devin
Last name: Acosta
Added user "testuser-devin"
  User login: testuser-devin
  First name: Devin
  Last name: Acosta
  Full name: Devin Acosta
  Display name: Devin Acosta
  Initials: DA
  Home directory: /home/testuser-devin
  GECOS: Devin Acosta
  Login shell: /bin/bash
  Principal name:
  Principal alias:
  Email address:
  UID: 34375527
  GID: 34375527
  Password: False
  *Member of groups: ipausers, admins*
  Roles: IT Security Specialist, sec_netops2, helpdesk, IT Specialist, User
Administrator, Security Architect, ipa_join
  Indirect Member of role: ipa_join, helpdesk, IT Security Specialist,
sec_netops2, IT Specialist, Security Architect, User Administrator
  Kerberos keys available: False

On Fri, Jun 2, 2017 at 11:02 AM, Rob Crittenden <> wrote:

> Devin Acosta via FreeIPA-users wrote:
> >
> > I am hoping to see if someone can tell me what I either need to change
> > or update to get it so that FreeIPA doesn't automatically keep adding
> > all new users that is created automatically to the admin group. I
> > inherited this installation of FreeIPA and so far haven't been able to
> > figure out what either got changed or how to disable this behavior? I am
> > running the latest FreeIPA 4.4 on CentOS 7.3.
> >
> > Any help would be greatly appreciated.
> Probably the default users group. Try:
> $ kinit admin
> $ ipa config-show |grep 'Default users group'
> Can be changed using:
> $ ipa config-mod --defaultgroup ipausers
> You can probably do this in the UI as well but I'm a CLI guy.
> rob
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to