diff --git a/actions/add-ldap-user-to-group b/actions/add-ldap-user-to-group
new file mode 100755
index 000000000..8c5fc2fee
--- /dev/null
+++ b/actions/add-ldap-user-to-group
@@ -0,0 +1,43 @@
+#!/bin/bash
+#
+# This file is part of Plinth.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# Must be run as root.
+
+username="$1"
+groupname="$2"
+
+# check if group already exists
+results=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b 'ou=groups,dc=thisbox' -LLL "(cn=$groupname)" cn)
+
+if [ -z "$results" ]; then
+    # create group, with user as initial member
+    cat <<EOF |ldapadd -Y EXTERNAL -H ldapi:///
+dn: cn=$groupname,ou=groups,dc=thisbox
+objectClass: groupOfUniqueNames
+cn: $groupname
+uniqueMember: uid=$username,ou=users,dc=thisbox
+EOF
+else
+    # add user to existing group
+    cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
+dn: cn=$groupname,ou=groups,dc=thisbox
+changetype: modify
+add: uniqueMember
+uniqueMember: uid=$username,ou=users,dc=thisbox
+EOF
+fi
diff --git a/actions/create-ldap-user b/actions/create-ldap-user
index 4fbdb4c81..46d6bcf55 100755
--- a/actions/create-ldap-user
+++ b/actions/create-ldap-user
@@ -58,24 +58,3 @@ if [ $? -ne 0 ]; then
     echo "Failed to create posix account for user"
     exit 2
 fi
-
-# check if admin group exists
-results=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b 'ou=groups,dc=thisbox' -LLL "(cn=admin)" cn)
-
-if [ -z "$results" ]; then
-    # create admin group, with new user as a member
-    cat <<EOF |ldapadd -Y EXTERNAL -H ldapi:///
-dn: cn=admin,ou=groups,dc=thisbox
-objectClass: groupOfUniqueNames
-cn: admin
-uniqueMember: uid=$username,ou=users,dc=thisbox
-EOF
-else
-    # add new user to existing admin group
-    cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
-dn: cn=admin,ou=groups,dc=thisbox
-changetype: modify
-add: uniqueMember
-uniqueMember: uid=$username,ou=users,dc=thisbox
-EOF
-fi
diff --git a/actions/remove-ldap-user-from-group b/actions/remove-ldap-user-from-group
new file mode 100755
index 000000000..6992bcf63
--- /dev/null
+++ b/actions/remove-ldap-user-from-group
@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# This file is part of Plinth.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# Must be run as root.
+
+username="$1"
+groupname="$2"
+
+cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
+dn: cn=$groupname,ou=groups,dc=thisbox
+changetype: modify
+delete: uniqueMember
+uniqueMember: uid=$username,ou=users,dc=thisbox
+EOF
+
+if [ $? -eq 0 ]; then
+    echo "Removed user from group"
+elif [ $? -eq 16 ]; then
+    echo "User was not in group"
+    exit 1
+elif [ $? -eq 65 ]; then
+    # Cannot have empty group, so just delete the group.
+    ldapdelete -Y EXTERNAL -H ldapi:/// "cn=$groupname,ou=groups,dc=thisbox"
+
+    if [ $? -eq 0 ]; then
+	echo "User was last member in group, so group was deleted."
+    else
+	echo "User was last member in group, but could not delete group."
+	exit 1
+    fi
+fi
diff --git a/plinth/modules/first_boot/forms.py b/plinth/modules/first_boot/forms.py
index 994bd4f83..3f2ba8097 100644
--- a/plinth/modules/first_boot/forms.py
+++ b/plinth/modules/first_boot/forms.py
@@ -72,6 +72,14 @@ than 63 characters in length.'),
                 messages.error(self.request,
                                _('Creating LDAP user failed.'))
 
+            try:
+                actions.superuser_run(
+                    'add-ldap-user-to-group',
+                    [user.get_username(), 'admin'])
+            except ActionError:
+                messages.error(self.request,
+                               _('Failed to add new user to admin group.'))
+
             self.login_user()
 
         return user
diff --git a/plinth/modules/users/forms.py b/plinth/modules/users/forms.py
index e72bee865..ec13cd4d6 100644
--- a/plinth/modules/users/forms.py
+++ b/plinth/modules/users/forms.py
@@ -56,6 +56,13 @@ class CreateUserForm(UserCreationForm):
                     messages.error(self.request,
                                    _('Creating LDAP user failed.'))
 
+                try:
+                    actions.superuser_run(
+                        'add-ldap-user-to-group',
+                        [user.get_username(), 'admin'])
+                except ActionError:
+                    messages.error(self.request,
+                                   _('Failed to add new user to admin group.'))
         return user