>_cmd.script

groupadd

Create a new group

Groups

By CMD Script Team · 4 min read · Last updated

SYNTAX
groupadd [OPTIONS] GROUP_NAME

Options

Command options and flags
FlagDescription
-g GIDAssign a specific numeric group ID instead of the next available one
-rCreate a system group (uses the reserved system GID range)
-fExit successfully (no error) if the group already exists
-p PASSWORDSet an encrypted password for the group (rarely used; group passwords are largely obsolete)

Distribution compatibility

  • Ubuntu
  • Debian
  • Fedora
  • Arch
  • macOS (not available; use dscl -create /Groups instead)

What it does

groupadd creates a new group by adding an entry to /etc/group (and /etc/gshadow if group passwords are in use). It only creates the group itself — it does not add any users to it; that's a separate step with usermod -aG or by editing /etc/group directly.

Beginner examples

  • sudo groupadd developers — create a new group named developers
  • cat /etc/group | grep developers — confirm the group was created and see its GID
  • sudo usermod -aG developers alice — add an existing user to the new group
  • getent group developers — look up a group regardless of whether it comes from /etc/group or a network directory service
sudo groupadd developers

Advanced examples

  • Create a group with an explicit GID to keep IDs consistent across servers (important for NFS-shared storage or containers): sudo groupadd -g 3000 developers.
  • Create a system group for a service/daemon, using the reserved low GID range: sudo groupadd -r nginx.
  • Make group creation idempotent in scripts by ignoring "already exists" errors: sudo groupadd -f developers.
  • Create a group and immediately populate it with several users: sudo groupadd deploy && sudo usermod -aG deploy alice && sudo usermod -aG deploy bob.
sudo groupadd -g 3000 developers && sudo usermod -aG developers alice

Common mistakes

  • Running groupadd and expecting any users to be members automatically — it creates an empty group; you must add members separately with usermod -aG.
  • Picking a GID that collides with an existing group or with GIDs used on other servers in a shared-storage (NFS) environment, causing permission confusion later.
  • Forgetting -f in idempotent automation scripts, causing the script to fail with "group already exists" on reruns.
  • Confusing group GIDs with usernames/UIDs — they're separate numbering spaces, and a group and a user can coincidentally share a number without being related.

Tips

  • Decide on and document a GID numbering convention (e.g. reserving a range for application groups) before creating groups across multiple servers, especially for NFS shares where GID consistency matters.
  • Use -r for groups meant to be associated with system services/daemons rather than interactive human users, matching your distro's conventions.
  • Follow up every groupadd with the usermod -aG calls needed to actually populate it — an empty group has no effect on its own.

Best practices

  • In configuration management (Ansible, Puppet, etc.), pin explicit GIDs for groups that need to match across multiple hosts, rather than relying on "next available."
  • Prefer -f in provisioning scripts so repeated runs are idempotent instead of failing on a group that already exists.
  • Keep group purposes narrow and named clearly (e.g. deploy, docker, developers) rather than reusing one broad group for many unrelated permission needs.

Try it yourself

A simulated shell with a sample home directory — experiment freely, nothing leaves your browser. Type help to list supported commands.

Real-world use cases

  • Creating a developers group so multiple engineers can share read/write access to a project directory via chgrp and chmod g+rw.
  • Creating a dedicated system group for a newly installed service so its files and socket permissions can be scoped to that group instead of world-writable.
  • Standardizing GIDs across a fleet of servers so an NFS-mounted directory's group permissions resolve consistently on every host.

Common interview questions

  • What's the difference between groupadd and usermod -aG? groupadd creates a new, empty group; usermod -aG adds an existing user to one or more existing groups. They're complementary — you typically run groupadd once, then usermod -aG per user.
  • Why would you specify -g GID explicitly instead of letting the system pick one? To keep the same GID consistent across multiple servers, which matters for NFS shares or container UID/GID mappings where numeric IDs — not names — determine access.
  • What is a system group (-r) used for? Groups intended for services/daemons rather than human users, allocated from a lower, reserved GID range separate from regular user groups.

Frequently Asked Questions

How is groupadd different from usermod -aG?

groupadd creates a brand new group entry in /etc/group; it doesn't add any users to it. usermod -aG adds an existing user to one or more already-existing groups. You typically run groupadd first, then usermod -aG to populate it.

What's the difference between a regular group and a system group (-r)?

System groups (-r) are allocated from a lower, reserved GID range (below the normal user group range configured in /etc/login.defs) and are conventionally used for services and daemons rather than human users.

Do I need root privileges to run groupadd?

Yes. Like useradd, groupadd writes to /etc/group and /etc/gshadow, which require root privileges (or sudo) to modify.

How do I see all groups on the system?

Read /etc/group directly, or use getent group to list all groups including those resolved via other sources like LDAP or NIS.

Cheat sheet

Download a quick-reference cheat sheet for groupadd.