groupadd
Create a new group
By CMD Script Team · 4 min read · Last updated
groupadd [OPTIONS] GROUP_NAMEOptions
| Flag | Description |
|---|---|
-g GID | Assign a specific numeric group ID instead of the next available one |
-r | Create a system group (uses the reserved system GID range) |
-f | Exit successfully (no error) if the group already exists |
-p PASSWORD | Set an encrypted password for the group (rarely used; group passwords are largely obsolete) |
Distribution compatibility
- Ubuntu
- Debian
- Fedora
- Arch
- macOS (not available; use dscl -create /Groups instead)
What it does
groupadd creates a new group by adding an entry to /etc/group (and /etc/gshadow if
group passwords are in use). It only creates the group itself — it does not add any
users to it; that's a separate step with usermod -aG or by editing /etc/group
directly.
Beginner examples
sudo groupadd developers— create a new group nameddeveloperscat /etc/group | grep developers— confirm the group was created and see its GIDsudo usermod -aG developers alice— add an existing user to the new groupgetent group developers— look up a group regardless of whether it comes from/etc/groupor a network directory service
sudo groupadd developers
Advanced examples
- Create a group with an explicit GID to keep IDs consistent across servers (important
for NFS-shared storage or containers):
sudo groupadd -g 3000 developers. - Create a system group for a service/daemon, using the reserved low GID range:
sudo groupadd -r nginx. - Make group creation idempotent in scripts by ignoring "already exists" errors:
sudo groupadd -f developers. - Create a group and immediately populate it with several users:
sudo groupadd deploy && sudo usermod -aG deploy alice && sudo usermod -aG deploy bob.
sudo groupadd -g 3000 developers && sudo usermod -aG developers alice
Common mistakes
- Running
groupaddand expecting any users to be members automatically — it creates an empty group; you must add members separately withusermod -aG. - Picking a GID that collides with an existing group or with GIDs used on other servers in a shared-storage (NFS) environment, causing permission confusion later.
- Forgetting
-fin idempotent automation scripts, causing the script to fail with "group already exists" on reruns. - Confusing group GIDs with usernames/UIDs — they're separate numbering spaces, and a group and a user can coincidentally share a number without being related.
Tips
- Decide on and document a GID numbering convention (e.g. reserving a range for application groups) before creating groups across multiple servers, especially for NFS shares where GID consistency matters.
- Use
-rfor groups meant to be associated with system services/daemons rather than interactive human users, matching your distro's conventions. - Follow up every
groupaddwith theusermod -aGcalls needed to actually populate it — an empty group has no effect on its own.
Best practices
- In configuration management (Ansible, Puppet, etc.), pin explicit GIDs for groups that need to match across multiple hosts, rather than relying on "next available."
- Prefer
-fin provisioning scripts so repeated runs are idempotent instead of failing on a group that already exists. - Keep group purposes narrow and named clearly (e.g.
deploy,docker,developers) rather than reusing one broad group for many unrelated permission needs.
Try it yourself
A simulated shell with a sample home directory — experiment freely, nothing leaves your browser. Type help to list supported commands.
Real-world use cases
- Creating a
developersgroup so multiple engineers can share read/write access to a project directory viachgrpandchmod g+rw. - Creating a dedicated system group for a newly installed service so its files and socket permissions can be scoped to that group instead of world-writable.
- Standardizing GIDs across a fleet of servers so an NFS-mounted directory's group permissions resolve consistently on every host.
Common interview questions
- What's the difference between
groupaddandusermod -aG?groupaddcreates a new, empty group;usermod -aGadds an existing user to one or more existing groups. They're complementary — you typically rungroupaddonce, thenusermod -aGper user. - Why would you specify
-g GIDexplicitly instead of letting the system pick one? To keep the same GID consistent across multiple servers, which matters for NFS shares or container UID/GID mappings where numeric IDs — not names — determine access. - What is a system group (
-r) used for? Groups intended for services/daemons rather than human users, allocated from a lower, reserved GID range separate from regular user groups.
Frequently Asked Questions
How is groupadd different from usermod -aG?
groupadd creates a brand new group entry in /etc/group; it doesn't add any users to it. usermod -aG adds an existing user to one or more already-existing groups. You typically run groupadd first, then usermod -aG to populate it.
What's the difference between a regular group and a system group (-r)?
System groups (-r) are allocated from a lower, reserved GID range (below the normal user group range configured in /etc/login.defs) and are conventionally used for services and daemons rather than human users.
Do I need root privileges to run groupadd?
Yes. Like useradd, groupadd writes to /etc/group and /etc/gshadow, which require root privileges (or sudo) to modify.
How do I see all groups on the system?
Read /etc/group directly, or use getent group to list all groups including those resolved via other sources like LDAP or NIS.
Cheat sheet
Download a quick-reference cheat sheet for groupadd.