diff --git a/services/kanidm/default.nix b/services/kanidm/default.nix
index 744ed73..394bb63 100644
--- a/services/kanidm/default.nix
+++ b/services/kanidm/default.nix
@@ -24,9 +24,10 @@
       idmAdminPasswordFile = config.vault.secrets.kanidm-idm-admin.outputDir;
 
       groups = {
-        admins = { };
-        users = { };
-        ssh-users = { };
+        # overwriteMembers = false allows imperative member management via CLI
+        admins = { overwriteMembers = false; };
+        users = { overwriteMembers = false; };
+        ssh-users = { overwriteMembers = false; };
       };
 
       # Regular users (persons) are managed imperatively via kanidm CLI