diff --git a/actions/delete-ldap-user b/actions/delete-ldap-user
index 2038e998f..3787e226f 100755
--- a/actions/delete-ldap-user
+++ b/actions/delete-ldap-user
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #
 # This file is part of Plinth.
 #
@@ -29,18 +29,19 @@ else
     exit 1
 fi
 
-cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
-dn: cn=admin,ou=groups,dc=thisbox
+# update groups
+results=$(ldapsearch 2>/dev/null -Y EXTERNAL -H ldapi:/// -b 'ou=groups,dc=thisbox' -LLL "(uniqueMember=uid=$username,ou=users,dc=thisbox)" dn | grep -v '^$')
+
+while read -r line; do
+    cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
+$line
 changetype: modify
 delete: uniqueMember
 uniqueMember: uid=$username,ou=users,dc=thisbox
 EOF
 
-if [ $? -eq 0 ]; then
-    echo "Removed user from admin group"
-elif [ $? -eq 16 ]; then
-    echo "User was not in admin group"
-elif [ $? -eq 65 ]; then
-    echo "Cannot remove last LDAP admin user"
-    exit 2
-fi
+    if [ $? -eq 65 ]; then
+	# Cannot have empty group, so just delete the group.
+	ldapdelete -Y EXTERNAL -H ldapi:/// "$line"
+    fi
+done <<< "$results"
diff --git a/actions/get-ldap-user-groups b/actions/get-ldap-user-groups
new file mode 100755
index 000000000..f9aa51556
--- /dev/null
+++ b/actions/get-ldap-user-groups
@@ -0,0 +1,23 @@
+#!/bin/bash
+#
+# This file is part of Plinth.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# Must be run as root.
+
+username="$1"
+
+ldapsearch 2>/dev/null -Y EXTERNAL -H ldapi:/// -b 'ou=groups,dc=thisbox' -LLL "(uniqueMember=uid=$username,ou=users,dc=thisbox)" cn | awk '/cn:/ { print $2 }'
diff --git a/actions/rename-ldap-user b/actions/rename-ldap-user
index 6346987bc..acb235dad 100755
--- a/actions/rename-ldap-user
+++ b/actions/rename-ldap-user
@@ -35,23 +35,21 @@ else
     exit 1
 fi
 
-# check if user is admin
-results=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=admin,ou=groups,dc=thisbox' -LLL "(uniqueMember=uid=$old_username,ou=users,dc=thisbox)" uniqueMember)
+# update groups
+results=$(ldapsearch 2>/dev/null -Y EXTERNAL -H ldapi:/// -b 'ou=groups,dc=thisbox' -LLL "(uniqueMember=uid=$old_username,ou=users,dc=thisbox)" dn | grep -v '^$')
 
-if [ -z "$results" ]; then
-    exit 0
-fi
-
-cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
-dn: cn=admin,ou=groups,dc=thisbox
+while read -r line; do
+    cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
+$line
 changetype: modify
 add: uniqueMember
 uniqueMember: uid=$new_username,ou=users,dc=thisbox
 EOF
 
-cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
-dn: cn=admin,ou=groups,dc=thisbox
+    cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
+$line
 changetype: modify
 delete: uniqueMember
 uniqueMember: uid=$old_username,ou=users,dc=thisbox
 EOF
+done <<< "$results"
diff --git a/plinth/modules/first_boot/forms.py b/plinth/modules/first_boot/forms.py
index 3f2ba8097..b4fea529f 100644
--- a/plinth/modules/first_boot/forms.py
+++ b/plinth/modules/first_boot/forms.py
@@ -80,6 +80,9 @@ than 63 characters in length.'),
                 messages.error(self.request,
                                _('Failed to add new user to admin group.'))
 
+            g = Group.objects.create(name='admin')
+            g.user_set.add(user)
+
             self.login_user()
 
         return user
diff --git a/plinth/modules/users/forms.py b/plinth/modules/users/forms.py
index ec13cd4d6..67688d2fe 100644
--- a/plinth/modules/users/forms.py
+++ b/plinth/modules/users/forms.py
@@ -17,25 +17,37 @@
 
 from django import forms
 from django.contrib import messages
-from django.contrib.auth.models import User
+from django.contrib.auth.models import User, Group
 from django.contrib.auth.forms import UserCreationForm, SetPasswordForm
+from django.core.exceptions import ObjectDoesNotExist
 from gettext import gettext as _
 
 from plinth import actions
 from plinth.errors import ActionError
 
+GROUP_CHOICES = (
+    ('admin', 'admin'),
+    ('wiki', 'wiki'),
+)
+
 
 class CreateUserForm(UserCreationForm):
     """Custom user create form.
 
-    Include option to also create LDAP user.
+    Include options to add user to groups.
     """
 
-    add_ldap_user = forms.BooleanField(
-        label=_('Also create an LDAP user'),
+    groups = forms.MultipleChoiceField(
+        choices=GROUP_CHOICES,
+        label=_('Groups'),
         required=False,
-        help_text=_('This will allow the new user to log in to various '
-                    'services that support single sign-on through LDAP.'))
+        help_text=_('Select which services should be available to the new '
+                    'user. The user will be able to log in to services that '
+                    'support single sign-on through LDAP, if they are in the '
+                    'appropriate group.<br /><br />'
+                    'Users in the admin group will be able to log in to all '
+                    'services. They can also log in to the system through SSH '
+                    'and have administrative privileges (sudo).'))
 
     def __init__(self, request, *args, **kwargs):
         """Initialize the form with extra request argument."""
@@ -47,22 +59,30 @@ class CreateUserForm(UserCreationForm):
         user = super(CreateUserForm, self).save(commit)
 
         if commit:
-            if self.cleaned_data['add_ldap_user']:
-                try:
-                    actions.superuser_run(
-                        'create-ldap-user',
-                        [user.get_username(), self.cleaned_data['password1']])
-                except ActionError:
-                    messages.error(self.request,
-                                   _('Creating LDAP user failed.'))
+            try:
+                actions.superuser_run(
+                    'create-ldap-user',
+                    [user.get_username(), self.cleaned_data['password1']])
+            except ActionError:
+                messages.error(self.request,
+                               _('Creating LDAP user failed.'))
 
+            for group in self.cleaned_data['groups']:
                 try:
                     actions.superuser_run(
                         'add-ldap-user-to-group',
-                        [user.get_username(), 'admin'])
+                        [user.get_username(), group])
                 except ActionError:
-                    messages.error(self.request,
-                                   _('Failed to add new user to admin group.'))
+                    messages.error(
+                        self.request,
+                        _('Failed to add new user to %s group.') % group)
+
+                try:
+                    g = Group.objects.get(name=group)
+                except ObjectDoesNotExist:
+                    g = Group.objects.create(name=group)
+                g.user_set.add(user)
+
         return user
 
 
@@ -96,6 +116,27 @@ class UserUpdateForm(forms.ModelForm):
                     messages.error(self.request,
                                    _('Renaming LDAP user failed.'))
 
+            output = actions.superuser_run('get-ldap-user-groups',
+                                           [user.get_username()])
+            old_groups = output.strip().split('\n')
+            new_groups = user.groups.values_list('name', flat=True)
+            for old_group in old_groups:
+                if old_group not in new_groups:
+                    try:
+                        actions.superuser_run('remove-ldap-user-from-group',
+                                              [user.get_username(), old_group])
+                    except ActionError:
+                        messages.error(self.request,
+                                       _('Failed to add user to group.'))
+            for new_group in new_groups:
+                if new_group not in old_groups:
+                    try:
+                        actions.superuser_run('add-ldap-user-to-group',
+                                              [user.get_username(), new_group])
+                    except ActionError:
+                        messages.error(self.request,
+                                       _('Failed to remove user from group.'))
+
         return user
 
 
diff --git a/plinth/modules/users/templates/users_change_password.html b/plinth/modules/users/templates/users_change_password.html
index 4eae225e0..15a148c04 100644
--- a/plinth/modules/users/templates/users_change_password.html
+++ b/plinth/modules/users/templates/users_change_password.html
@@ -31,12 +31,6 @@
 
         {{ form|bootstrap }}
 
-        {% if is_ldap_user %}
-        <p>This user is also an LDAP user and password for LDAP user will also
-          be updated.
-        </p>
-        {% endif %}
-
         <input type="submit" class="btn btn-primary" value="Save Password"/>
 
       </form>
diff --git a/plinth/modules/users/templates/users_delete.html b/plinth/modules/users/templates/users_delete.html
index d8bf3a311..fa2b2ffc2 100644
--- a/plinth/modules/users/templates/users_delete.html
+++ b/plinth/modules/users/templates/users_delete.html
@@ -24,10 +24,6 @@
 
   <h3>Delete User <em>{{ object.username }}</em></h3>
 
-  {% if is_ldap_user %}
-  <p>This user is also an LDAP user.  LDAP user will also be deleted.</p>
-  {% endif %}
-
   <p>Delete user permanently?</p>
 
   <form class="form" method="post">
diff --git a/plinth/modules/users/templates/users_update.html b/plinth/modules/users/templates/users_update.html
index 0c29e8eba..4a817e1af 100644
--- a/plinth/modules/users/templates/users_update.html
+++ b/plinth/modules/users/templates/users_update.html
@@ -46,10 +46,6 @@
 
         {{ form|bootstrap }}
 
-        {% if is_ldap_user %}
-        <p>This user is also an LDAP user.</p>
-        {% endif %}
-
         <input type="submit" class="btn btn-primary" value="Save Changes"/>
 
       </form>