diff --git a/initial_install/roles/users/tasks/main.yml b/initial_install/roles/users/tasks/main.yml
index 5df013d..1392e3f 100644
--- a/initial_install/roles/users/tasks/main.yml
+++ b/initial_install/roles/users/tasks/main.yml
@@ -1,3 +1,4 @@
+```yaml
 ---
 - name: Define users
   ansible.builtin.set_fact:
@@ -20,23 +21,33 @@
         ssh_keys:
           - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFS4fsqMjMMu/Bi/884bw7yJBqvWusDRESvanH6Owco jakub@jimbuntu"
 
-- name: Pick sudo group per distro
-  ansible.builtin.set_fact:
-    sudo_group: >-
-      {{ 'wheel'
-         if ansible_facts.os_family in
-         ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
-         else 'sudo' }}
-
+# --------------------------------------------------
+# Create users (NO sudo group here!)
+# --------------------------------------------------
 - name: Ensure users exist
   ansible.builtin.user:
     name: "{{ item.name }}"
     shell: "{{ item.shell }}"
-    groups: "{{ sudo_group }}"
-    append: true
     create_home: true
   loop: "{{ users }}"
 
+# --------------------------------------------------
+# Configure passwordless sudo safely
+# --------------------------------------------------
+- name: Configure passwordless sudo
+  ansible.builtin.copy:
+    dest: "/etc/sudoers.d/{{ item.name }}"
+    mode: '0440'
+    owner: root
+    group: root
+    content: "{{ item.name }} ALL=(ALL:ALL) NOPASSWD: ALL\n"
+    validate: 'visudo -cf %s'
+  loop: "{{ users }}"
+  when: item.sudo_nopasswd | default(false)
+
+# --------------------------------------------------
+# Install SSH keys
+# --------------------------------------------------
 - name: Install authorized SSH keys
   ansible.builtin.authorized_key:
     user: "{{ item.name }}"
@@ -44,11 +55,9 @@
     exclusive: true
   loop: "{{ users }}"
 
-- name: Configure passwordless sudo
-  ansible.builtin.copy:
-    dest: "/etc/sudoers.d/{{ item.name }}"
-    mode: '0440'
-    content: "{{ item.name }} ALL=(ALL:ALL) NOPASSWD:ALL\n"
-    validate: 'visudo -cf %s'
-  loop: "{{ users }}"
-  when: item.sudo_nopasswd
\ No newline at end of file
+# --------------------------------------------------
+# Reset connection so sudo rules take effect immediately
+# --------------------------------------------------
+- name: Reset SSH connection (refresh sudo context)
+  meta: reset_connection
+```