diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml
index 2ee8856c..6cf206cb 100644
--- a/roles/mgrote_users/tasks/main.yml
+++ b/roles/mgrote_users/tasks/main.yml
@@ -53,6 +53,9 @@
     block: |
       {{ item.username }} ALL=(ALL) {{ 'NOPASSWD:' if (item.allow_passwordless_sudo | d(false)) else '' }}ALL
     validate: 'visudo -cf %s'
+    owner: root
+    group: root
+    mode: "0644"
   loop: '{{ users }}'
   when: item.allow_sudo|default(false) and item.allow_sudo is defined
   no_log: true
@@ -60,7 +63,7 @@
 - name: Ensure users are removed from sudoers # ungetestet
   ansible.builtin.file:
     path: "/etc/sudoers.d/users-sudo-{{ item.username }}"
-    state: "{{ item.state | default('present') }}"
+    state: absent
   loop: '{{ users }}'
   when: (item.allow_sudo|default(false) and item.allow_sudo is defined) and ("absent" in item.state)
   no_log: true