diff --git a/linux/compliance.yaml b/linux/compliance.yaml
index fdea40c..93064ee 100644
--- a/linux/compliance.yaml
+++ b/linux/compliance.yaml
@@ -28,6 +28,12 @@
         dest: /etc/apt/apt.conf.d/proxy
       when: aptfolder.stat.exists
 
+    - name: Remove redundant APT configuration
+      file:
+        path: /etc/apt/apt.conf
+        state: absent
+      when: aptfolder.stat.exists
+
     # Update apt package lists after adding our proxy
     - name: Update apt repo package lists from cacher
       apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
@@ -38,9 +44,12 @@
       user:
         name: ansible
         state: present
-        # add to sudo
-        groups: sudo
+    - name: Add deployment user to wheel group.
+      user:
+        name: ansible
+        groups: wheel
         append: yes
+      when: wheel in groups
 
     # Ansible user SSH pub key
     # This is a really stupid way to do it, but alas.
@@ -91,9 +100,29 @@
         state: present
         password: "{{ nhadmin_password | password_hash('sha512') }}"
         shell: /bin/bash
-        # add to sudo, systemd-journal
-        groups: sudo,systemd-journal
+
+    - name: Add nhadmin to wheel group.
+      user:
+        name: nhadmin
+        groups: wheel
         append: yes
+      when: wheel in groups
+
+    - name: Add nhadmin to sudo group.
+      user:
+        name: nhadmin
+        groups: sudo
+        append: yes
+      when: sudo in groups
+
+    - name: Add nhadmin to systemd-journal group.
+      user:
+        name: nhadmin
+        groups: systemd-journal
+        append: yes
+      when: systemd-journal in groups
+
+      
     # Sysadmin user SSH pub key
     # This is a really stupid way to do it, but alas.
     # This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey.