what the original poster calls a "group" is what books on line calls a "role". you typically create a role and add the expected rights tot eh role, then add users to the role.
here's a nice script i like to use as an example:
create database Whatever
GO
USE Whatever
CREATE ROLE [ReallyReadOnly]
--give reader rights to this group
ALTER AUTHORIZATION ON SCHEMA::[db_datareader] TO [ReallyReadOnly]
--explicitly DENY access to writing
ALTER AUTHORIZATION ON SCHEMA::[DB_DenyDataWriter] TO [ReallyReadOnly]
GRANT EXECUTE TO [ReallyReadOnly]
--create the Role for my Dev guys, who create tables and procs
CREATE ROLE [WhateverDEVAdmins]
ALTER AUTHORIZATION ON SCHEMA::[db_ddladmin] TO [WhateverDEVAdmins]
ALTER AUTHORIZATION ON SCHEMA::[db_datareader] TO [WhateverDEVAdmins]
ALTER AUTHORIZATION ON SCHEMA::[db_datawriter] TO [WhateverDEVAdmins]
GRANT EXECUTE,ALTER TO [WhateverDEVAdmins]
--create role for my normal users
CREATE ROLE [WhateverDEVUsers]
ALTER AUTHORIZATION ON SCHEMA::[db_datareader] TO [WhateverDEVUsers]
ALTER AUTHORIZATION ON SCHEMA::[db_datawriter] TO [WhateverDEVUsers]
GRANT EXECUTE TO [WhateverDEVUsers]
--now add specific users to nearly-Admins
IF NOT EXISTS (SELECT * FROM MASTER.dbo.syslogins WHERE name = N'bob')
BEGIN
EXEC MASTER.dbo.sp_addlogin @loginame = N'bob', @passwd = 'NotARealPassword', @defdb = N'WHATEVER', @deflanguage = N'us_english'
--add this user to permit read and write
END
IF NOT EXISTS (SELECT * FROM MASTER.dbo.syslogins WHERE name = N'jeff')
BEGIN
EXEC MASTER.dbo.sp_addlogin @loginame = N'jeff', @passwd = 'NotARealPassword', @defdb = N'WHATEVER', @deflanguage = N'us_english'
END
USE [WHATEVER]
--make a user in the db for the matching login
CREATE USER [bob] FOR LOGIN [bob]
CREATE USER [jeff] FOR LOGIN [jeff]
--add these logs to the role
EXEC sp_addrolemember N'WhateverDEVAdmins', N'bob'
EXEC sp_addrolemember N'WhateverDEVAdmins', N'jeff'
CREATE LOGIN [NT AUTHORITY\Authenticated Users] FROM WINDOWS WITH DEFAULT_DATABASE=[WHATEVER]
CREATE USER [NT AUTHORITY\Authenticated Users] FOR LOGIN [NT AUTHORITY\Authenticated Users]
EXEC sp_addrolemember N'WhateverDEVUsers', N'NT AUTHORITY\Authenticated Users'
Lowell