diff --git a/roles/ipa/client/files/fedora-nss-ignore.conf b/roles/ipa/client/files/fedora-nss-ignore.conf
new file mode 100644
index 0000000000..0e65ad0398
--- /dev/null
+++ b/roles/ipa/client/files/fedora-nss-ignore.conf
@@ -0,0 +1,6 @@
+## This file contains users who are in ipa to stop people from
+## creating restricted accounts but we want to make sure the id in
+## /etc/passwd and /etc/group are used.
+[nss]
+filter_users = root,bin,daemon,adm,lp,sync,shutdown,halt,mail,operator,games,ftp,nobody,avahi-autoipd,dbus,polkitd,rpc,tss,ntp,rpcuser,nfsnobody,postfix,sshd,nagios,nrpe,openvpn,,chrony,sssd
+filter_groups = root,bin,daemon,sys,adm,tty,disk,lp,mem,kmem,wheel,cdrom,mail,man,dialout,floppy,games,tape,video,ftp,lock,audio,nobody,users,utmp,utempter,avahi-autoipd,ssh_keys,systemd-journal,dbus,rpc,tss,ntp,dip,rpcuser,nfsnobody,postdrop,postfix,sshd,screen,nagios,nrpe,openvpn,input,systemd-bus-proxy,systemd-network,cgred,chrony,printadmin,sssd
diff --git a/roles/ipa/client/tasks/common.yml b/roles/ipa/client/tasks/common.yml
index 76326af053..fe0b08b9e8 100644
--- a/roles/ipa/client/tasks/common.yml
+++ b/roles/ipa/client/tasks/common.yml
@@ -39,3 +39,10 @@
     host: "{{ item[2] | list }}"
   loop: "{{ ipa_server_host_groups_hosts }}"
   when: ipa_server_host_groups_hosts is defined
+
+- name: Ensure that nss knows to skip certain users
+  copy: src=fedora-nss-ignore.conf dest=/etc/sssd/conf.d/ mode=600 owner=root group=root
+  tags:
+  - ipa/client
+  - config
+  notify: clean sss caches