AnsiblePilot — Master Ansible Automation
AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.
Popular Topics
About Luca Berton
Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.
Ansible Disable User Account: Lock & Deactivate Users (Guide) — Video Tutorial
How to disable user accounts in Ansible with the user module. Lock passwords, set nologin shell, expire accounts, and implement offboarding with examples.
What You'll Learn
- How to disable a user account with Ansible?
- Ansible disable user account
- Parameters
- code
- execution
- verification
- Conclusion
- Disable User Account
- Quick disable (expire + lock)
- Complete Offboarding Playbook
Full Tutorial Content
How to disable a user account with Ansible?
I'm going to show you a live Playbook with some simple Ansible code.
I'm Luca Berton and welcome to today's episode of Ansible Pilot.
Ansible disable user account
Today we're talking about the Ansible module `user`.
The full name is `ansible.builtin.user`, which means that is part of the collection of modules "builtin" with ansible and shipped with it.
It's a module pretty stable and out for years, it manages user accounts.
It supports a huge variety of Linux distributions, SunOS and macOS, and FreeBSD.
For Windows, use the `ansible.windows.win_user` module instead.
Parameters
- name string - username
- state string - present/absent
- password_lock boolean - no/yes
- shell string - "/sbin/nologin"
This module has many parameters to perform any task.
The only required is "name", which is the username.
The parameter "state" allows us to create or delete a user.
The "password_lock" parameter specifies to lock the user password.
This parameter uses the `passwd` tool on Linux systems to disables a password by changing it to a value that matches no possible encrypted value (it adds a ´!´ at the beginning of the password).
This parameter does not disable the user, only locks the password. This parameter does not always mean the user cannot log in using other methods.
The "shell" parameter specifies the user shell. A very special is the `nologin`. When a user with that shell logs in, they'll get a polite message saying 'This account is currently not available.' This message can be customized with the file /etc/nologin.txt.
## Playbook
Let's jump into a real-life Ansible Playbook to disable a user.
code
- user_disable.yml
```yaml
---
- name: user module Playbook
hosts: all
become: true
vars:
myuser: "example"
tasks:
- name: disable user
ansible.builtin.user:
name: "{{ myuser }}"
state: present
password_lock: true
shell: "/sbin/nologin"
```
execution
output
```bash
$ ansible-playbook -i Playbook/inventory disable\ user\ account/user.yml
PLAY [user module Playbook] ***************************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [disable user] *******************************************************************************
changed: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
```
verification
```bash
$ ssh devops@demo.example.com
$ sudo su -
[root@demo ~]# getent passwd
example:x:1002:1002::/home/example:/sbin/nologin
[root@demo ~]# passwd -S example
example LK 2021-09-30 0 99999 7 -1 (Password locked.)
[root@demo ~]# grep example /etc/shadow
example:!!:18900:0:99999:7:::
```
[code with ❤️ in GitHub](https://github
About This Tutorial
- Author: Luca Berton
- Difficulty: Beginner
- Read time: 7 min
- Category: troubleshooting
Read the full written article: Ansible Disable User Account: Lock & Deactivate Users (Guide)
Related Video Tutorials
- Add Secondary Groups to Linux Users with Ansible Playbook — Learn how to add secondary groups to Linux users with an Ansible playbook. This step-by-step guide includes YAML configuration and execution details.
- Change the User Primary Group on Linux with Ansible — Learn how to use Ansible to change a user's primary group on Linux systems with the user module.
- ansible.builtin.user: Change User Password with Ansible (Secure Guide) — How to change user passwords with Ansible user module. Hash passwords securely, use Vault for credentials, manage password rotation across servers.
- Ansible Enable User Account: Unlock & Activate Users Guide — How to enable and unlock user accounts with Ansible user module. Unlock passwords, set shells, manage account expiry, and bulk re-enable users.
- Ansible Change User Password: Secure Password Management Guide — How to change user passwords with Ansible. Use password_hash, vault encryption, and user module to manage passwords securely on Linux and Windows.
- Ansible Set File Permissions 755: chmod with file Module Guide — How to set file permissions with Ansible file module. Add execute permission (755, 644, 600), manage ownership, and apply permissions recursively.