diff --git a/helpers/create-users-groups.sh b/helpers/create-users-groups.sh
new file mode 100644
index 00000000000..da168650897
--- /dev/null
+++ b/helpers/create-users-groups.sh
@@ -0,0 +1,60 @@
+cat "$2" | while true; do
+    read name || break
+    read gid
+
+    if ! curEnt=$(getent group "$name"); then
+        echo "creating group $name..."
+        groupadd --system \
+            "$name" \
+            ${gid:+--gid $gid}
+    else
+        echo "updating group $name..."
+        oldIFS="$IFS"; IFS=:; set -- $curEnt; IFS="$oldIFS"
+        prevGid=$3
+        if test "$prevGid" != "$gid"; then
+            groupmod "$name" --gid $gid
+        fi
+    fi
+done
+
+
+cat "$1" | while true; do
+    read name || break
+    read description
+    read uid
+    read group
+    read extraGroups
+    read home
+    read shell
+
+    if ! curEnt=$(getent passwd "$name"); then
+        echo "creating user $name..."
+        useradd --system \
+            "$name" \
+            --comment "$description" \
+            ${uid:+--uid $uid} \
+            --gid "$group" \
+            --groups "$extraGroups" \
+            --home "$home" \
+            --shell "$shell"
+    else
+        echo "updating user $name..."
+        oldIFS="$IFS"; IFS=:; set -- $curEnt; IFS="$oldIFS"
+        prevUid=$3
+        prevHome=$6
+        # Don't change the UID if it's the same, otherwise usermod
+        # will complain.
+        if test "$prevUid" = "$uid"; then unset uid; fi
+        # Don't change the home directory if it's the same to prevent
+        # unnecessary warnings about logged in users.
+        if test "$prevHome" = "$home"; then unset home; fi
+        usermod \
+            "$name" \
+            --comment "$description" \
+            ${uid:+--uid $uid} \
+            --gid "$group" \
+            --groups "$extraGroups" \
+            ${home:+--home "$home"} \
+            --shell "$shell"
+    fi
+done
diff --git a/system/activate-configuration.sh b/system/activate-configuration.sh
index 105acba4cb4..3dbae8faec0 100644
--- a/system/activate-configuration.sh
+++ b/system/activate-configuration.sh
@@ -64,6 +64,10 @@ touch /var/log/lastlog
 chmod 644 /var/log/lastlog
 
 
+# Empty, read-only home directory of many system accounts.
+mkdir -m 0555 -p /var/empty
+
+
 # If there is no password file yet, create a root account with an
 # empty password.
 if ! test -e /etc/passwd; then
@@ -71,37 +75,21 @@ if ! test -e /etc/passwd; then
     touch /etc/passwd; chmod 0644 /etc/passwd
     touch /etc/group; chmod 0644 /etc/group
     touch /etc/shadow; chmod 0600 /etc/shadow
-    # Can't use useradd, since it complain that it doesn't know us
+    # Can't use useradd, since it complains that it doesn't know us
     # (bootstrap problem!). 
     echo "root:x:0:0:System administrator:$rootHome:@defaultShell@" >> /etc/passwd
     echo "root::::::::" >> /etc/shadow
-    groupadd -g 0 root
     echo | passwd --stdin root
 fi
 
 
-# Some more required accounts/groups.
-if ! getent group nogroup > /dev/null; then
-    groupadd -g 65534 nogroup
-fi
+# Create system users and groups.
+@shell@ @createUsersGroups@ @usersList@ @groupsList@
 
 
-# Set up Nix accounts.
+# Set up Nix.
 if test -z "@readOnlyRoot@"; then
 
-    if ! getent group nixbld > /dev/null; then
-        groupadd -g 30000 nixbld
-    fi
-
-    for i in $(seq 1 10); do
-        account=nixbld$i
-        if ! getent passwd $account > /dev/null; then
-            useradd -u $((i + 30000)) -g nogroup -G nixbld \
-                -d /var/empty -s /noshell \
-                -c "Nix build user $i" $account
-        fi
-    done
-
     mkdir -p /nix/etc/nix
     cat > /nix/etc/nix/nix.conf <<EOF
 # WARNING: this file is generated.
diff --git a/system/ids.nix b/system/ids.nix
new file mode 100644
index 00000000000..08b387feabe
--- /dev/null
+++ b/system/ids.nix
@@ -0,0 +1,21 @@
+{
+
+  uids = {
+    root = 0;
+    nscd = 1;
+    sshd = 2;
+    ntp = 3;
+    messagebus = 4; # D-Bus
+    haldaemon = 5;
+    nixbld = 30000; # start of range of uids
+    nobody = 65534;
+  };
+
+  gids = {
+    root = 0;
+    users = 100;
+    nixbld = 30000;
+    nogroup = 65534;
+  };
+
+}
diff --git a/system/system.nix b/system/system.nix
index fdc96fdbca9..42d560493ae 100644
--- a/system/system.nix
+++ b/system/system.nix
@@ -228,6 +228,9 @@ rec {
   };
 
 
+  usersGroups = import ./users-groups.nix { inherit pkgs upstartJobs defaultShell; };
+
+
   defaultShell = "/var/run/current-system/sw/bin/bash";
 
     
@@ -247,6 +250,8 @@ rec {
       config.get ["security" "extraSetuidPrograms"];
     maxJobs = config.get ["nix" "maxJobs"];
 
+    inherit (usersGroups) createUsersGroups usersList groupsList;
+
     path = [
       pkgs.coreutils pkgs.gnugrep pkgs.findutils
       pkgs.glibc # needed for getent
diff --git a/system/users-groups.nix b/system/users-groups.nix
new file mode 100644
index 00000000000..dc51fceaec4
--- /dev/null
+++ b/system/users-groups.nix
@@ -0,0 +1,72 @@
+{pkgs, upstartJobs, defaultShell}:
+
+let ids = import ./ids.nix; in
+
+rec {
+
+  # System user accounts.
+  systemUsers =
+    let
+      jobUsers = pkgs.lib.concatLists (map (job: job.users) upstartJobs.jobs);
+      
+      defaultUsers =
+        [
+          { name = "root";
+            uid = ids.uids.root;
+            description = "System administrator";
+            home = "/root";
+            shell = defaultShell;
+          }
+          { name = "nobody";
+            uid = ids.uids.nobody;
+            description = "Unprivileged account (don't use!)";
+          }
+        ];
+      
+      makeNixBuildUser = nr:
+        { name = "nixbld${toString nr}";
+          description = "Nix build user ${toString nr}";
+          uid = builtins.add ids.uids.nixbld nr;
+          extraGroups = ["nixbld"];
+        };
+        
+      nixBuildUsers = map makeNixBuildUser (pkgs.lib.range 1 10);
+      
+      addAttrs =
+        { name
+        , description
+        , uid ? ""
+        , group ? "nogroup"
+        , extraGroups ? []
+        , home ? "/var/empty"
+        , shell ? "/noshell"
+        }:
+        { inherit name description uid group extraGroups home shell; };
+
+    in map addAttrs (defaultUsers ++ jobUsers ++ nixBuildUsers);
+
+
+  # System groups.
+  systemGroups =
+    [
+      { name = "root";
+        gid = ids.gids.root;
+      }
+      { name = "nogroup";
+        gid = ids.gids.nogroup;
+      }
+      { name = "users";
+        gid = ids.gids.users;
+      }
+      { name = "nixbld";
+        gid = ids.gids.nixbld;
+      }
+    ];
+
+
+  # Awful hackery necessary to pass the users/groups to the activation script.
+  createUsersGroups = ../helpers/create-users-groups.sh;
+  usersList = pkgs.writeText "users" (pkgs.lib.concatStrings (map (u: "${u.name}\n${u.description}\n${toString u.uid}\n${u.group}\n${toString u.extraGroups}\n${u.home}\n${u.shell}\n") systemUsers));
+  groupsList = pkgs.writeText "groups" (pkgs.lib.concatStrings (map (g: "${g.name}\n${toString g.gid}\n") systemGroups));
+    
+}
\ No newline at end of file
diff --git a/upstart-jobs/default.nix b/upstart-jobs/default.nix
index 6fdffa6ba55..91267d89b6a 100644
--- a/upstart-jobs/default.nix
+++ b/upstart-jobs/default.nix
@@ -235,8 +235,6 @@ import ../upstart-jobs/gather.nix {
   ++ (map makeJob (config.get ["services" "extraJobs"]))
 
   # For the built-in logd job.
-  ++ [
-    (pkgs.upstart // {extraPath = []; extraEtc = [];})
-  ];
+  ++ [(makeJob { jobDrv = pkgs.upstart; })];
   
 }
diff --git a/upstart-jobs/httpd.nix b/upstart-jobs/httpd.nix
index 20c6cb7a331..1dcd6b1ba71 100644
--- a/upstart-jobs/httpd.nix
+++ b/upstart-jobs/httpd.nix
@@ -81,6 +81,12 @@ in
 {
   name = "httpd";
   
+  users = [
+    { name = user;
+      description = "Apache httpd user";
+    }
+  ];
+  
   job = "
 description \"Apache HTTPD\"
 
@@ -92,11 +98,6 @@ start script
         ${pwdutils}/sbin/groupadd ${group}
     fi
 
-    if ! ${glibc}/bin/getent passwd ${user} > /dev/null; then
-        ${pwdutils}/sbin/useradd -g ${group} -d /var/empty -s /noshell \\
-            -c 'Apache httpd user' ${user}
-    fi
-
     ${webServer}/bin/control prepare    
 end script
 
diff --git a/upstart-jobs/make-job.nix b/upstart-jobs/make-job.nix
index d263a6d44f7..f6841ad26a1 100644
--- a/upstart-jobs/make-job.nix
+++ b/upstart-jobs/make-job.nix
@@ -1,15 +1,25 @@
 {runCommand}: job:
 
 (
-  runCommand job.name {inherit (job) job;}
-    "ensureDir $out/etc/event.d; echo \"$job\" > $out/etc/event.d/$name"
+  if job ? jobDrv then
+    job.jobDrv
+  else
+    (
+      runCommand job.name {inherit (job) job;}
+        "ensureDir $out/etc/event.d; echo \"$job\" > $out/etc/event.d/$name"
+    )
 )
 
 //
 
-# Allow jobs to declare extra packages that should be added to the
-# system path, as well as extra files that should be added to /etc.
 {
+  # Allow jobs to declare extra packages that should be added to the
+  # system path.
   extraPath = if job ? extraPath then job.extraPath else [];
+
+  # Allow jobs to declare extra files that should be added to /etc.
   extraEtc = if job ? extraEtc then job.extraEtc else [];
+
+  # Allow jobs to declare user accounts that should be created.
+  users = if job ? users then job.users else [];
 }
diff --git a/upstart-jobs/nscd.nix b/upstart-jobs/nscd.nix
index 2fcc86229b1..b2a01cc5c4d 100644
--- a/upstart-jobs/nscd.nix
+++ b/upstart-jobs/nscd.nix
@@ -3,6 +3,13 @@
 {
   name = "nscd";
   
+  users = [
+    { name = "nscd";
+      uid = (import ../system/ids.nix).uids.nscd;
+      description = "Name service cache daemon user";
+    }
+  ];
+  
   job = "
 description \"Name Service Cache Daemon\"
 
@@ -13,11 +20,6 @@ env LD_LIBRARY_PATH=${nssModulesPath}
 
 start script
 
-    if ! ${glibc}/bin/getent passwd nscd > /dev/null; then
-        ${pwdutils}/sbin/useradd -g nogroup -d /var/empty -s /noshell \\
-            -c 'Name service cache daemon user' nscd
-    fi
-
     mkdir -m 0755 -p /var/run/nscd
     mkdir -m 0755 -p /var/db/nscd
 
diff --git a/upstart-jobs/ntpd.nix b/upstart-jobs/ntpd.nix
index a59c3343a74..1cd1c9eb7b5 100644
--- a/upstart-jobs/ntpd.nix
+++ b/upstart-jobs/ntpd.nix
@@ -19,6 +19,14 @@ in
 {
   name = "ntpd";
   
+  users = [
+    { name = ntpUser;
+      uid = (import ../system/ids.nix).uids.ntp;
+      description = "NTP daemon user";
+      home = stateDir;
+    }
+  ];
+  
   job = "
 description \"NTP daemon\"
 
@@ -28,11 +36,6 @@ stop on shutdown
 
 start script
 
-    if ! ${glibc}/bin/getent passwd ${ntpUser} > /dev/null; then
-        ${pwdutils}/sbin/useradd -g nogroup -d ${stateDir} -s /noshell \\
-            -c 'NTP daemon user' ${ntpUser}
-    fi
-
     mkdir -m 0755 -p ${stateDir}
     chown ${ntpUser} ${stateDir}
 
diff --git a/upstart-jobs/samba.nix b/upstart-jobs/samba.nix
index a19d9dee3fd..69a9b51c4a2 100644
--- a/upstart-jobs/samba.nix
+++ b/upstart-jobs/samba.nix
@@ -2,13 +2,21 @@
 
 let
   
-  user="smbguest";
-  group="smbguest";
+  user = "smbguest";
+  group = "smbguest";
+  
 in
 
 {
   name = "samba";
 
+  users = [
+    { name = user;
+      description = "Samba service user";
+      group = group;
+    }
+  ];
+  
   job = "
 
 description \"Samba Service\"
@@ -18,17 +26,13 @@ stop on network-interfaces/stop
 
 start script
 
- if ! ${glibc}/bin/getent group ${group} > /dev/null; then
-      ${pwdutils}/sbin/groupadd ${group}
- fi
+  if ! ${glibc}/bin/getent group ${group} > /dev/null; then
+       ${pwdutils}/sbin/groupadd ${group}
+  fi
 
- if ! ${glibc}/bin/getent passwd ${user} > /dev/null; then
-      ${pwdutils}/sbin/useradd -g ${group} -d /var/empty -s /noshell -c 'Samba service user' ${user}
- fi
-
- ${samba}/sbin/nmbd -D &
- ${samba}/sbin/smbd -D &
- ${samba}/sbin/winbindd -B &
+  ${samba}/sbin/nmbd -D &
+  ${samba}/sbin/smbd -D &
+  ${samba}/sbin/winbindd -B &
 
 end script
 
diff --git a/upstart-jobs/sshd.nix b/upstart-jobs/sshd.nix
index cc2c4ddea1b..d5b4da33c21 100644
--- a/upstart-jobs/sshd.nix
+++ b/upstart-jobs/sshd.nix
@@ -22,10 +22,20 @@ let
     
   ";
 
+  sshdUid = (import ../system/ids.nix).uids.sshd;
+
 in
 
 {
   name = "sshd";
+
+  users = [
+    { name = "sshd";
+      uid = (import ../system/ids.nix).uids.sshd;
+      description = "SSH privilege separation user";
+      home = "/var/empty";
+    }
+  ];
   
   job = "
 description \"SSH server\"
@@ -36,18 +46,11 @@ stop on network-interfaces/stop
 env LD_LIBRARY_PATH=${nssModulesPath}
 
 start script
-    mkdir -m 0555 -p /var/empty
-
     mkdir -m 0755 -p /etc/ssh
 
     if ! test -f /etc/ssh/ssh_host_dsa_key; then
         ${openssh}/bin/ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ''
     fi
-
-    if ! ${glibc}/bin/getent passwd sshd > /dev/null; then
-        ${pwdutils}/sbin/useradd -g nogroup -d /var/empty -s /noshell \\
-            -c 'SSH privilege separation user' sshd
-    fi
 end script
 
 respawn ${openssh}/sbin/sshd -D -h /etc/ssh/ssh_host_dsa_key -f ${sshdConfig}