diff --git a/README.md b/README.md
index 724f559a0404e336a2c1e6311d7f4cfd10a43a8b..07ced05e8dc2445bc78643a73d1f5fd1dabb6b19 100644
--- a/README.md
+++ b/README.md
@@ -75,9 +75,15 @@ user_database:
 
 #### Creating user accounts
 
-Note that this doesn't create the user anywhere. To do so, define a variable
-`users` e.g. in `host_vars`. For example adding this somewhere in
-`host_vars/example.com/`:
+Note that this doesn't create the user anywhere.
+
+You can use a host var or a group var to actually create users.
+
+##### Creating accounts on hosts
+
+To create a user on a specific host, define the variable `users` in `host_vars`
+
+For example adding this to `host_vars/example.com/users`:
 ```
 users:
   - johndoe
@@ -85,16 +91,45 @@ users:
 will deploy the johndoe user as defined in the `user_database` above on
 `example.com`.
 
+##### Creating accounts on groups
+
+This can be a bit annoying if you just want to grant a group of people
+access to a bunch of hosts in a group. To grant a user access to a group of
+hosts, define the variable `users_group` in `group_vars`.
+
+For example adding this to `group_vars/dc01`:
+```
+users_group:
+  - johndoe
+```
+will deploy the johndoe user as defined in the `user_database` above on
+all hosts in the group `dc01`.
+
 #### Deploying pubkeys for the root user
 
 Pubkeys defined in the `user_database` can also be deployed for the root user.
-This is achieved by adding a user's name to the `users_root` list. For example:
+
+##### Deploying pubkeys for the root user on hosts
+
+This is achieved by adding a user's name to the `users_root` list. For example
+adding this to `host_vars/example.com/users`:
 ```
 users_root:
   - johndoe
 ```
 will deploy all pubkeys defined in the `user_database` for johndoe in the root
-account.
+account on host `example.com.
+
+##### Deploying pubkeys for the root user on groups
+
+This is achieved by adding a user's name to the `users_root_group` list. For example
+adding this to `group_vars/dc01`:
+```
+users_root_group:
+  - johndoe
+```
+will deploy all pubkeys defined in the `user_database` for johndoe in the root
+account on all hosts in group `dc01`.
 
 ### DHCP Server
 
diff --git a/group_vars/all b/group_vars/all
index 86f71c64af8b74237246b10f63325c84c48e9bb9..2a51f1cf5c8b96ea9806e0358a223810b923c584 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -106,3 +106,4 @@ user_database:
     fullname: Stefan Mehrens
     pubkeys:
       - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDV9XOmFQU2uZiaka5IMhaHf7I3Yo/NcBclxTYVLG5rofs3V7PAZ01m3wdMauqo7oO4o+aV4vF9yZOx+rc0rOP2yY11Ao2r4ospA2SZI0yaaDX1mZGErhId+RLmHVc4zcNWas8gucASP0A8rObc/ZEX8rCFITegv0OEiH0lS6NX0s+EchjxZRP8rqohWc4uLsaNhZkuheotVeFS2ecCnnvm3HngLPtUY1ZRD3jSmBmghoz6Utp4HTkk88b4PYv/Kc6Bt72IxxL2wZvqaF/bVrngYk6w7ewq3zXJMwDZscYOUSP7C3ZkGBoEvyGGtDYbDhyuptoGQNTcmmHAnbxzTdnv smehrens@oxygen.fritz.box
+  
diff --git a/group_vars/dhcpserver b/group_vars/dhcpserver
index c2df7fe2843f6dc80681ada4ff974e685d93933c..e6a8277ad258da453385fa62d82333b0f4d0caf0 100644
--- a/group_vars/dhcpserver
+++ b/group_vars/dhcpserver
@@ -1,11 +1,11 @@
 ---
-users:
+users_group:
   - are
   - leonard
   - roland
   - nrb
 
-users_root:
+users_root_group:
   - are
   - leonard
   - roland
diff --git a/group_vars/ffs04 b/group_vars/ffs04
deleted file mode 100644
index c2df7fe2843f6dc80681ada4ff974e685d93933c..0000000000000000000000000000000000000000
--- a/group_vars/ffs04
+++ /dev/null
@@ -1,12 +0,0 @@
----
-users:
-  - are
-  - leonard
-  - roland
-  - nrb
-
-users_root:
-  - are
-  - leonard
-  - roland
-  - nrb
diff --git a/group_vars/ffs05 b/group_vars/ffs05
index 8133b87d463712cf27c73c873a33ce6aa9e64ae4..b9a6f8afea3dc21c0e26eb31f3f1fbdee96a9aef 100644
--- a/group_vars/ffs05
+++ b/group_vars/ffs05
@@ -1,12 +1,12 @@
 ---
-users:
+users_group:
   - are
   - leonard
   - roland
   - nrb
   - wilhelm
 
-users_root:
+users_root_group:
   - are
   - leonard
   - roland
diff --git a/group_vars/ffs06 b/group_vars/ffs06
deleted file mode 100644
index c2df7fe2843f6dc80681ada4ff974e685d93933c..0000000000000000000000000000000000000000
--- a/group_vars/ffs06
+++ /dev/null
@@ -1,12 +0,0 @@
----
-users:
-  - are
-  - leonard
-  - roland
-  - nrb
-
-users_root:
-  - are
-  - leonard
-  - roland
-  - nrb
diff --git a/group_vars/ffs07 b/group_vars/ffs07
index c2df7fe2843f6dc80681ada4ff974e685d93933c..e6a8277ad258da453385fa62d82333b0f4d0caf0 100644
--- a/group_vars/ffs07
+++ b/group_vars/ffs07
@@ -1,11 +1,11 @@
 ---
-users:
+users_group:
   - are
   - leonard
   - roland
   - nrb
 
-users_root:
+users_root_group:
   - are
   - leonard
   - roland
diff --git a/group_vars/ffs08 b/group_vars/ffs08
index c2df7fe2843f6dc80681ada4ff974e685d93933c..e6a8277ad258da453385fa62d82333b0f4d0caf0 100644
--- a/group_vars/ffs08
+++ b/group_vars/ffs08
@@ -1,11 +1,11 @@
 ---
-users:
+users_group:
   - are
   - leonard
   - roland
   - nrb
 
-users_root:
+users_root_group:
   - are
   - leonard
   - roland
diff --git a/group_vars/ffs09 b/group_vars/ffs09
index 8133b87d463712cf27c73c873a33ce6aa9e64ae4..b9a6f8afea3dc21c0e26eb31f3f1fbdee96a9aef 100644
--- a/group_vars/ffs09
+++ b/group_vars/ffs09
@@ -1,12 +1,12 @@
 ---
-users:
+users_group:
   - are
   - leonard
   - roland
   - nrb
   - wilhelm
 
-users_root:
+users_root_group:
   - are
   - leonard
   - roland
diff --git a/group_vars/ffs10 b/group_vars/ffs10
index ced0a17be0e4b54e7d659c7e0247dac953eb120c..5ea265e183f7f2b33579a10222a6bf9830fa2788 100644
--- a/group_vars/ffs10
+++ b/group_vars/ffs10
@@ -1,12 +1,12 @@
 ---
-users:
+users_group:
   - are
   - leonard
   - roland
   - nrb
   - gratuxri
 
-users_root:
+users_root_group:
   - are
   - leonard
   - roland
diff --git a/group_vars/ffs11 b/group_vars/ffs11
index 96ce3d25b183ef2d28ac50e09147e4773ee13a3a..cb2df9c86c8b2e1febed35509a82552b9e5c5b5a 100644
--- a/group_vars/ffs11
+++ b/group_vars/ffs11
@@ -1,5 +1,5 @@
 ---
-users:
+users_group:
   - are
   - leonard
   - roland
@@ -9,12 +9,8 @@ users:
   - thommie
   - docloy
   - wilhelm
-  - jochen
-  - gratuxri
-  - flip
-  - smehrens
 
-users_root:
+users_root_group:
   - are
   - leonard
   - roland
diff --git a/host_vars/ffs11.freifunk-stuttgart.de/users b/host_vars/ffs11.freifunk-stuttgart.de/users
new file mode 100644
index 0000000000000000000000000000000000000000..ce5f638ef6b73be6ddec7c7582782b38977eb895
--- /dev/null
+++ b/host_vars/ffs11.freifunk-stuttgart.de/users
@@ -0,0 +1,6 @@
+---
+users:
+  - jochen
+  - gratuxri
+  - flip
+  - smehrens
diff --git a/inventory/ffs11 b/inventory/ffs11
index b2a6e296701b084f5bbba94b00d89c22e479963a..a3e1f35cbda931e4e03fb86e4001fed7647eecd0 100644
--- a/inventory/ffs11
+++ b/inventory/ffs11
@@ -77,3 +77,5 @@ ffs11:
       ansible_ssh_host: 3201.ffs11
     sso01.freifunk-stuttgart.net:
       ansible_ssh_host: 3203.ffs11
+    vpn-1nce.freifunk-stuttgart.net:
+      ansible_ssh_host: 3174.ffs11
diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml
index bf6b7e36af4dc2561b1081bdf60332eae30c8f65..fb23f8060bda2803c19937967a487c8f4731c81f 100644
--- a/roles/users/tasks/main.yml
+++ b/roles/users/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
 - name: Creating users
   include: user.yml 
-  loop: "{{ users }}" 
+  loop: "{{ users|default([]) + users_group|default([]) }}" 
   loop_control:
     loop_var: user
 
@@ -14,6 +14,6 @@
 - name: Deploying public key for users with root access
   include: root_pubkey.yml
   vars:
-  loop: '{{ users }}'
+  loop: '{{ user_database.keys() | list }}'
   loop_control:
     loop_var: user
diff --git a/roles/users/tasks/root_pubkey.yml b/roles/users/tasks/root_pubkey.yml
index efc0164f706f57f208f2b760d503ea7d7d43bf5e..4c9b9ed476e2fc32a0bfee7c2cea96a2bb1bef10 100644
--- a/roles/users/tasks/root_pubkey.yml
+++ b/roles/users/tasks/root_pubkey.yml
@@ -2,7 +2,7 @@
 - name: "Deploying {{ user }} public keys for root"
   authorized_key:
     user: "root"
-    state: '{{ (user in users_root) | ternary("present", "absent") }}'
+    state: '{{ (user in users_root|default([]) or user in users_root_group|default([]) ) | ternary("present", "absent") }}'
     key: '{{ item }}'
     comment: '{{ user }}'
     follow: yes
diff --git a/roles/users/tasks/user_remove.yml b/roles/users/tasks/user_remove.yml
index f3a140ef7b44aa7d0122554f839251c3b94f1a4a..d5ef4bb56564fed8e7cfe6dcdc2e052d31b6dec4 100644
--- a/roles/users/tasks/user_remove.yml
+++ b/roles/users/tasks/user_remove.yml
@@ -4,7 +4,7 @@
     name: "{{ user.key }}"
     uid: "{{ user_database[user.key].uid }}"
     state: absent
-  when: 'user.key not in users'
+  when: 'user.key not in users|default([]) and user.key not in users_group|default([])'
 
 - name: "Remove root ssh keys for {{ user.key }}"
   authorized_key:
@@ -12,7 +12,7 @@
     state: absent
     key: '{{ pubkey }}'
     follow: yes
-  when: 'user.key not in users'
+  when: 'user.key not in users|default([]) and user.key not in users_group|default([])'
   loop: '{{ user.value.pubkeys }}'
   loop_control:
     loop_var: pubkey