diff --git a/nixos/doc/manual/installation.xml b/nixos/doc/manual/installation.xml
index dcbb20b19ee..fa4b89e6ba8 100644
--- a/nixos/doc/manual/installation.xml
+++ b/nixos/doc/manual/installation.xml
@@ -209,7 +209,20 @@ $ nixos-install</screen>
     a network issue while downloading binaries from the NixOS binary
     cache), you can just re-run <command>nixos-install</command>.
     Otherwise, fix your <filename>configuration.nix</filename> and
-    then re-run <command>nixos-install</command>.</para></listitem>
+    then re-run <command>nixos-install</command>.</para>
+
+    <para>As the last step, <command>nixos-install</command> will ask
+    you to set the password for the <literal>root</literal> user, e.g.
+
+<screen>
+setting root password...
+Enter new UNIX password: ***
+Retype new UNIX password: ***
+</screen>
+
+    </para>
+
+  </listitem>
 
   <listitem><para>If everything went well:
 
diff --git a/nixos/doc/manual/man-nixos-install.xml b/nixos/doc/manual/man-nixos-install.xml
index d5157859857..0ebee7d23f9 100644
--- a/nixos/doc/manual/man-nixos-install.xml
+++ b/nixos/doc/manual/man-nixos-install.xml
@@ -42,6 +42,9 @@ the following steps:
   and generates a GRUB configuration file that boots into the NixOS
   configuration just installed.</para></listitem>
 
+  <listitem><para>It prompts you for a password for the root
+  account.</para></listitem>
+
 </itemizedlist>
 
 </para>
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
index 2c37dccd6ce..e7afb518157 100644
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -374,8 +374,8 @@ in {
 
     security.initialRootPassword = mkOption {
       type = types.str;
-      default = "";
-      example = "!";
+      default = "!";
+      example = "";
       description = ''
         The (hashed) password for the root account set on initial
         installation. The empty string denotes that root can login
@@ -383,9 +383,9 @@ in {
         as SSH, or indirectly via <command>su</command> or
         <command>sudo</command>). The string <literal>!</literal>
         prevents root from logging in using a password.
-        Note, setting this option sets
+        Note that setting this option sets
         <literal>users.extraUsers.root.hashedPassword</literal>.
-        Note, if <literal>users.mutableUsers</literal> is false
+        Also, if <literal>users.mutableUsers</literal> is false
         you cannot change the root password manually, so in that case
         the name of this option is a bit misleading, since it will define
         the root password beyond the user initialisation phase.
diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh
index 1b481d4c65f..e708521c93f 100644
--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@@ -73,16 +73,18 @@ fi
 # Mount some stuff in the target root directory.  We bind-mount /etc
 # into the chroot because we need networking and the nixbld user
 # accounts in /etc/passwd.  But we do need the target's /etc/nixos.
-mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc
+mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run
 mkdir -m 01777 -p $mountPoint/tmp
 mkdir -m 0755 -p $mountPoint/tmp/root
-mkdir -m 0755 -p $mountPoint/var
+mkdir -m 0755 -p $mountPoint/var/setuid-wrappers
 mount --rbind /dev $mountPoint/dev
 mount --rbind /proc $mountPoint/proc
 mount --rbind /sys $mountPoint/sys
 mount --rbind / $mountPoint/tmp/root
 mount --bind /etc $mountPoint/etc
 mount --bind $mountPoint/tmp/root/$mountPoint/etc/nixos $mountPoint/etc/nixos
+mount -t tmpfs -o "mode=0755" none $mountPoint/run
+mount -t tmpfs -o "mode=0755" none $mountPoint/var/setuid-wrappers
 
 
 # Create the necessary Nix directories on the target device, if they
@@ -215,3 +217,17 @@ touch $mountPoint/etc/NIXOS
 echo "finalising the installation..."
 NIXOS_INSTALL_GRUB=1 chroot $mountPoint \
     /nix/var/nix/profiles/system/bin/switch-to-configuration boot
+
+
+# Run the activation script.
+chroot $mountPoint /nix/var/nix/profiles/system/activate
+
+
+# Ask the user to set a root password.
+if [ -t 0 ] ; then
+    echo "setting root password..."
+    chroot $mountPoint passwd
+fi
+
+
+echo "installation finished!"
diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix
index 18b18dd4b23..8ce89c09b24 100644
--- a/nixos/modules/virtualisation/amazon-image.nix
+++ b/nixos/modules/virtualisation/amazon-image.nix
@@ -160,9 +160,4 @@ with lib;
   environment.systemPackages = [ pkgs.cryptsetup ];
 
   boot.initrd.supportedFilesystems = [ "unionfs-fuse" ];
-
-  # Prevent logging in as root without a password.  This doesn't really matter,
-  # since the only PAM services that allow logging in with a null
-  # password are local ones that are inaccessible on EC2 machines.
-  security.initialRootPassword = mkDefault "!";
 }
diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix
index a0238277f5d..d0d04d9a1e5 100644
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@@ -117,7 +117,6 @@ in
                   modules =
                     let extraConfig =
                       { boot.isContainer = true;
-                        security.initialRootPassword = mkDefault "!";
                         networking.hostName = mkDefault name;
                         networking.useDHCP = false;
                       };
diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix
index 34b8b0e9c1c..d55b7420243 100644
--- a/nixos/modules/virtualisation/google-compute-image.nix
+++ b/nixos/modules/virtualisation/google-compute-image.nix
@@ -114,11 +114,6 @@ in
   # Always include cryptsetup so that NixOps can use it.
   environment.systemPackages = [ pkgs.cryptsetup ];
 
-  # Prevent logging in as root without a password.  This doesn't really matter,
-  # since the only PAM services that allow logging in with a null
-  # password are local ones that are inaccessible on Google Compute machines.
-  security.initialRootPassword = mkDefault "!";
-
   # Configure default metadata hostnames
   networking.extraHosts = ''
     169.254.169.254 metadata.google.internal metadata
diff --git a/nixos/modules/virtualisation/nixos-container.pl b/nixos/modules/virtualisation/nixos-container.pl
index 8a1e6f927b3..c60662d8d39 100644
--- a/nixos/modules/virtualisation/nixos-container.pl
+++ b/nixos/modules/virtualisation/nixos-container.pl
@@ -64,7 +64,6 @@ sub writeNixOSConfig {
 with lib;
 
 { boot.isContainer = true;
-  security.initialRootPassword = mkDefault "!";
   networking.hostName = mkDefault "$containerName";
   networking.useDHCP = false;
   $extraConfig
diff --git a/nixos/modules/virtualisation/virtualbox-image.nix b/nixos/modules/virtualisation/virtualbox-image.nix
index 3247881784e..594b3e93ffe 100644
--- a/nixos/modules/virtualisation/virtualbox-image.nix
+++ b/nixos/modules/virtualisation/virtualbox-image.nix
@@ -107,9 +107,4 @@ with lib;
   boot.loader.grub.device = "/dev/sda";
 
   services.virtualbox.enable = true;
-
-  # Prevent logging in as root without a password.  For NixOps, we
-  # don't need this because the user can login via SSH, and for the
-  # demo images, there is a demo user account that can sudo to root.
-  security.initialRootPassword = mkDefault "!";
 }