diff --git a/auth/auth-module.nix b/auth/auth-module.nix
index ddb3c2b..e85a768 100644
--- a/auth/auth-module.nix
+++ b/auth/auth-module.nix
@@ -81,9 +81,6 @@ let
             fi
         fi
 
-        # disable anonymous account because it allows to freely iterate over all users on kanidm instance.
-        $KANIDM service-account validity expire-at anonymous epoch
-
         # create a new token for kanidm
         if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${kanidmServiceAccountName}" "${kanidmServiceAccountTokenName}" ${lib.strings.optionalString isRW "--rw"} --output json)"
         then
diff --git a/auth/kanidm.nix b/auth/kanidm.nix
index ddf7f81..6d6839f 100644
--- a/auth/kanidm.nix
+++ b/auth/kanidm.nix
@@ -234,7 +234,12 @@ let
     export KANIDM_URL="${cfg.provision.instanceUrl}"
     export KANIDM_SKIP_HOSTNAME_VERIFICATION="true"
     KANIDM_PASSWORD="$KANIDM_IDM_ADMIN_PASSWORD" ${cfg.package}/bin/kanidm login
+
+    # disable anonymous account because it allows to freely iterate over all users on kanidm instance.
+    ${cfg.package}/bin/kanidm service-account validity expire-at anonymous epoch
+
     ${createAndPopulateGroups}
+
     unset HOME
     unset KANIDM_NAME
     unset KANIDM_URL