diff --git a/ipa-server/ipa-gui/ipagui/proxyprovider.py b/ipa-server/ipa-gui/ipagui/proxyprovider.py
index e8ef69830..bd9cf87a8 100644
--- a/ipa-server/ipa-gui/ipagui/proxyprovider.py
+++ b/ipa-server/ipa-gui/ipagui/proxyprovider.py
@@ -2,6 +2,11 @@ from turbogears.identity.soprovider import *
 from turbogears.identity.visitor import *
 import logging
 import os
+import ipa.ipaclient
+from ipaserver import funcs
+import ipa.config
+import ipa.group
+import ipa.user
 
 log = logging.getLogger("turbogears.identity")
 
@@ -15,7 +20,25 @@ class IPA_User(object):
         (principal, realm) = user_name.split('@')
         self.display_name = principal
         self.permissions = None
-        self.groups = None
+        transport = funcs.IPAServer()
+        client = ipa.ipaclient.IPAClient(transport)
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+        try:
+            user = client.get_user_by_principal(user_name, ['dn'])
+            self.groups = []
+            groups = client.get_groups_by_member(user.dn, ['dn', 'cn'])
+            if isinstance(groups, str):
+                groups = [groups]
+            for ginfo in groups:
+                # cn may be multi-valued, add them all just in case
+                cn = ginfo.getValue('cn')
+                if isinstance(cn, str):
+                    cn = [cn]
+                for c in cn:
+                    self.groups.append(c)
+        except:
+            raise
+
         return
 
 class ProxyIdentity(object):
@@ -57,7 +80,7 @@ class ProxyIdentity(object):
 
     def _get_groups(self):
         try:
-            return self._groups
+            return self._user.groups
         except AttributeError:
             # Groups haven't been computed yet
             return None
@@ -87,10 +110,14 @@ class ProxyIdentityProvider(SqlObjectIdentityProvider):
         pass
 
     def validate_identity(self, user_name, password, visit_key):
-        user = IPA_User(user_name)
-        log.debug( "validate_identity %s" % user_name)
-  
-        return ProxyIdentity(visit_key, user)
+        try:
+            user = IPA_User(user_name)
+            log.debug( "validate_identity %s" % user_name)
+            return ProxyIdentity(visit_key, user)
+        except:
+            # Something went wrong in fetching the user. Set to
+            # anonymous which will deny access.
+            return ProxyIdentity( None )
 
     def validate_password(self, user, user_name, password):
         '''Validation has already occurred in the proxy'''
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py
index bcc3e1ccd..b412b6d15 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py
@@ -37,7 +37,7 @@ class GroupController(IPAController):
         raise turbogears.redirect("/group/list")
 
     @expose("ipagui.templates.groupnew")
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
     def new(self, tg_errors=None):
         """Displays the new group form"""
         if tg_errors:
@@ -49,7 +49,7 @@ class GroupController(IPAController):
         return dict(form=group_new_form, group={})
 
     @expose()
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
     def create(self, **kw):
         """Creates a new group"""
         self.restrict_post()
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
index a33307ae6..a527c0983 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
@@ -96,7 +96,7 @@ class UserController(IPAController):
         raise turbogears.redirect("/user/list")
 
     @expose("ipagui.templates.usernew")
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
     def new(self, tg_errors=None):
         """Displays the new user form"""
         if tg_errors:
@@ -106,7 +106,7 @@ class UserController(IPAController):
         return dict(form=user_new_form, user={})
 
     @expose()
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
     def create(self, **kw):
         """Creates a new user"""
         self.restrict_post()
diff --git a/ipa-server/ipa-gui/ipagui/templates/master.kid b/ipa-server/ipa-gui/ipagui/templates/master.kid
index 4fa27e6c5..f395f31bf 100644
--- a/ipa-server/ipa-gui/ipagui/templates/master.kid
+++ b/ipa-server/ipa-gui/ipagui/templates/master.kid
@@ -70,19 +70,19 @@
       <div id="sidebar">
         <h2>Tasks</h2>
         <ul>
-        <li><a href="${tg.url('/user/new')}">Add Person</a></li>
+        <li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/user/new')}">Add Person</a></li>
         <li><a href="${tg.url('/user/list')}">Find People</a></li>
         </ul>
         <ul>
-        <li><a href="${tg.url('/group/new')}">Add Group</a></li>
+        <li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/group/new')}">Add Group</a></li>
         <li><a href="${tg.url('/group/list')}">Find Groups</a></li>
         </ul>
         <ul>
-        <li><a href="${tg.url('/policy/index')}">Manage Policy</a></li>
+        <li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/policy/index')}">Manage Policy</a></li>
         <li><a href="${tg.url('/user/edit/', principal=tg.identity.user.display_name)}">Self Service</a></li>
         </ul>
         <ul>
-        <li><a href="${tg.url('/delegate/list')}">Delegations</a></li>
+        <li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/delegate/list')}">Delegations</a></li>
         </ul>
       </div>