diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix
index 8d516946868..11f41aa0827 100644
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@@ -54,7 +54,8 @@ in
     privoxy = 32;    
     osgi = 34;
     sabnzbd = 33;
-    tor = 35;    
+    tor = 35;
+    cups = 36;
     # When adding a uid, make sure it doesn't match an existing gid.
 
     nixbld = 30000; # start of range of uids
diff --git a/modules/services/printing/cupsd.nix b/modules/services/printing/cupsd.nix
index 0ac52fe1038..8599512a5f5 100644
--- a/modules/services/printing/cupsd.nix
+++ b/modules/services/printing/cupsd.nix
@@ -102,11 +102,18 @@ in
 
   config = mkIf config.services.printing.enable {
 
-    environment.systemPackages = [cups];
+    users.extraUsers = singleton
+      { name = "cups";
+        uid = config.ids.uids.cups;
+        group = "lp";
+        description = "CUPS printing services";
+      };
 
-    services.dbus.packages = [cups];
+    environment.systemPackages = [ cups ];
 
-    # cups uses libusb to talk to printers, and does not use the
+    services.dbus.packages = [ cups ];
+
+    # Cups uses libusb to talk to printers, and does not use the
     # linux kernel driver. If the driver is not in a black list, it
     # gets loaded, and then cups cannot access the printers.
     boot.blacklistedKernelModules = [ "usblp" ];
@@ -167,6 +174,13 @@ in
 
         TempDir ${cfg.tempDir}
 
+        # User and group used to run external programs, including
+        # those that actually send the job to the printer.  Note that
+        # Udev sets the group of printer devices to `lp', so we want
+        # these programs to run as `lp' as well.
+        User cups
+        Group lp
+
         Browsing On
         BrowseOrder allow,deny
         BrowseAllow @LOCAL