diff --git a/roles/ipa/files/configure-ipa.sh b/roles/ipa/files/configure-ipa.sh
new file mode 100644
index 0000000000..44880213ea
--- /dev/null
+++ b/roles/ipa/files/configure-ipa.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+ADMIN_PASSWORD="$1"
+DM_PASSWORD="$2"
+
+function cleanup {
+    kdestroy -A
+}
+trap cleanup EXIT
+
+echo $ADMIN_PASSWORD | kinit admin
+
+# Disallow all users to change their own settings
+ipa selfservice-find | grep "Self-service name:" | sed -e "s/  Self-service name: //" | \
+while read line
+do
+    echo "Removing $line"
+    ipa selfservice-del "$line"
+done
+
+# Create fas_sync user
+ipa user-add fas_sync --first=FAS --last=Sync
+
+# Allow sync user to update passwords
+ldapmodify -x -D "cn=Directory Manager" -w "$DM_PASSWORD" -h localhost -p 389 <<EOF
+dn: cn=ipa_pwd_extop,cn=plugins,cn=config
+changetype: modify
+add: passSyncManagersDNs
+passSyncManagersDNs: uid=fas_sync,cn=users,cn=accounts,dc=fedoraproject,dc=org
+EOF
+exit 0
diff --git a/roles/ipa/tasks/main.yml b/roles/ipa/tasks/main.yml
index 659b8b9db8..4e616f5313 100644
--- a/roles/ipa/tasks/main.yml
+++ b/roles/ipa/tasks/main.yml
@@ -119,14 +119,17 @@
   - config
   when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists
 
-#
-# switch this to use the systemd module as soon as ansible 2.2 is out.
-#
+- name: Deploy configuration script
+  copy: src=configure-ipa.sh dest=/root/configure-ipa.sh mode=0700 owner=root group=root
+  register: config_deployed
+  tags:
+  - ipa
+  - config
+  when: inventory_hostname.startswith("ipa01")
 
-#- name: mask kadmin
-#  file: src=/dev/null
-#        dest=/etc/systemd/system/kadmin.service
-#        owner=root group=root state=link
-#  tags:
-#  - ipa
-#  - config
+- name: Run configuration script
+  command: /bin/bash /root/configure-ipa.sh {{ipa_dm_password}} {{ipa_admin_password}}
+  tags:
+  - ipa
+  - config
+  when: inventory.hostname.startswith("ipa01") and config_deployed.changed