diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml
index 6e7eb9da17..8a786a5bac 100644
--- a/roles/ipa/server/tasks/main.yml
+++ b/roles/ipa/server/tasks/main.yml
@@ -332,6 +332,16 @@
   changed_when: "'already exists' not in output.stdout"
   failed_when: "'already exists' not in output.stdout and output.rc != 0"
 
+# HBAC
+
+- name: Don't allow all users to log into all hosts
+  command: ipa hbacrule-disable allow_all
+  tags:
+  - ipa/server
+  - config
+  when: ipa_initial
+  register: output
+
 # Noggin user setup
 
 - name: Register the proper noggin admin password