diff --git a/ad-auth/tasks/pam.yml b/ad-auth/tasks/pam.yml
index c51e6efdb4ef1a3571187ce7fdaad4beb29331b8..69cd4a959597fb3c4b6210e8a12e7797a8d34fe5 100644
--- a/ad-auth/tasks/pam.yml
+++ b/ad-auth/tasks/pam.yml
@@ -1,11 +1,17 @@
 ---
 # file: roles/ad-auth/tasks/pam.yml
 
-- name: ensure our pam-configs are deployed
-  copy: src=pam/{{ item }} dest=/usr/share/pam-configs/{{ item }} owner=root group=root mode=0644
-  with_items:
-    - mkhomedir
-    - umask
+- name: ensure pam applies a general umask
+  copy: src=pam/umask dest=/usr/share/pam-configs/umask owner=root group=root mode=0644
+  notify:
+    - regenerate pam config
+  tags:
+    - pam 
+    - config
+
+- name: ensure pam creates a home dir if necessary
+  copy: src=pam/mkhomedir dest=/usr/share/pam-configs/mkhomedir owner=root group=root mode=0644
+  when: "'clients' not in group_names"
   notify:
     - regenerate pam config
   tags: