diff --git a/lib/srv/usermgmt.go b/lib/srv/usermgmt.go
index 924ea368de0fc..100194c52c755 100644
--- a/lib/srv/usermgmt.go
+++ b/lib/srv/usermgmt.go
@@ -451,11 +451,13 @@ func (u *HostUserManagement) createGroupIfNotExist(group string) error {
 	if err != nil && !isUnknownGroupError(err, group) {
 		return trace.Wrap(err)
 	}
+
 	err = u.backend.CreateGroup(group, "")
 	if trace.IsAlreadyExists(err) {
 		return nil
 	}
-	return trace.Wrap(err)
+
+	return trace.Wrap(err, "creating group %q", group)
 }
 
 // isUnknownGroupError returns whether the error from LookupGroup is an unknown group error.
diff --git a/lib/utils/host/hostusers.go b/lib/utils/host/hostusers.go
index 92b2bd15e90b9..e3d1d13397674 100644
--- a/lib/utils/host/hostusers.go
+++ b/lib/utils/host/hostusers.go
@@ -32,6 +32,7 @@ import (
 
 // man GROUPADD(8), exit codes section
 const GroupExistExit = 9
+const GroupInvalidArg = 3
 
 // man USERADD(8), exit codes section
 const UserExistExit = 9
@@ -56,6 +57,15 @@ func GroupAdd(groupname string, gid string) (exitCode int, err error) {
 	if cmd.ProcessState.ExitCode() == GroupExistExit {
 		return cmd.ProcessState.ExitCode(), trace.AlreadyExists("group already exists")
 	}
+
+	if cmd.ProcessState.ExitCode() == GroupInvalidArg {
+		errMsg := "bad parameter"
+		if strings.Contains(string(output), "not a valid group name") {
+			errMsg = "invalid group name"
+		}
+		return cmd.ProcessState.ExitCode(), trace.BadParameter(errMsg)
+	}
+
 	return cmd.ProcessState.ExitCode(), trace.Wrap(err)
 }