diff --git a/modules/users/default.nix b/modules/users/default.nix
index f43b1392..90e55344 100644
--- a/modules/users/default.nix
+++ b/modules/users/default.nix
@@ -8,7 +8,6 @@ let
   group = import ./group.nix;
   user = import ./user.nix;
 
-  toArguments = concatMapStringsSep " " (v: "'${v}'");
   toGID = v: { "${toString v.gid}" = v.name; };
   toUID = v: { "${toString v.uid}" = v.name; };
 
@@ -121,7 +120,7 @@ in
           g=$(dscl . -read '/Groups/${v.name}' GroupMembership 2> /dev/null) || true
           if [ "$g" != 'GroupMembership: ${concatStringsSep " " v.members}' ]; then
             echo "updating group members ${v.name}..." >&2
-            dscl . -create '/Groups/${v.name}' GroupMembership ${toArguments v.members}
+            dscl . -create '/Groups/${v.name}' GroupMembership ${lib.escapeShellArgs v.members}
           fi
         else
           echo "warning: existing group '${v.name}' has unexpected gid $g, skipping..." >&2
diff --git a/tests/users-groups.nix b/tests/users-groups.nix
index bdbabe1e..17b8c0d2 100644
--- a/tests/users-groups.nix
+++ b/tests/users-groups.nix
@@ -35,7 +35,7 @@
     grep -qv "dscl . -create '/Groups/deleted.group'" ${config.out}/activate
 
     echo "checking group membership in /activate" >&2
-    grep "dscl . -create '/Groups/foo' GroupMembership 'admin' 'foo'" ${config.out}/activate
+    grep "dscl . -create '/Groups/foo' GroupMembership ${lib.escapeShellArgs [ "admin" "foo" ]}" ${config.out}/activate
     grep "dscl . -create '/Groups/created.group' GroupMembership" ${config.out}/activate
 
     # checking unknown group in /activate