diff --git a/modules/users/default.nix b/modules/users/default.nix
index ffceb9b9..83a60846 100644
--- a/modules/users/default.nix
+++ b/modules/users/default.nix
@@ -150,7 +150,7 @@ in
           u=$(id -u ${lib.escapeShellArg v.name} 2> /dev/null) || true
           if [[ "$u" -eq ${toString v.uid} ]]; then
             echo "deleting user ${v.name}..." >&2
-            sysadminctl -deleteUser '${v.name}' 2> /dev/null
+            sysadminctl -deleteUser ${lib.escapeShellArg v.name} 2> /dev/null
           else
             echo "[1;31mwarning: existing user '${v.name}' has unexpected uid $u, skipping...[0m" >&2
           fi
@@ -181,7 +181,7 @@ in
         if [ -n "$u" ]; then
           if [ "$u" -gt 501 ]; then
             echo "deleting user ${name}..." >&2
-            sysadminctl -deleteUser '${name}' 2> /dev/null
+            sysadminctl -deleteUser ${lib.escapeShellArg name} 2> /dev/null
           else
             echo "[1;31mwarning: existing user '${name}' has unexpected uid $u, skipping...[0m" >&2
           fi
diff --git a/tests/users-groups.nix b/tests/users-groups.nix
index b619f9b4..a4aaf2ae 100644
--- a/tests/users-groups.nix
+++ b/tests/users-groups.nix
@@ -46,19 +46,19 @@
     grep -zoP "sysadminctl -addUser 'foo' (.|\n)* -UID 42000 (.|\n)* -GID 42000 (.|\n)* -fullName 'Foo user' (.|\n)* -home '/Users/foo' (.|\n)* -shell ${lib.escapeShellArg "/run/current-system/sw/bin/bash"}" ${config.out}/activate
     grep "createhomedir -cu 'foo'" ${config.out}/activate
     grep -zoP "sysadminctl -addUser 'created.user' (.|\n)* -UID 42001 (.|\n)* -shell ${lib.escapeShellArg "/sbin/nologin"}" ${config.out}/activate
-    grep -qv "sysadminctl -deleteUser 'created.user'" ${config.out}/activate
-    grep -qv "sysadminctl -deleteUser 'created.user'" ${config.out}/activate
+    grep -qv "sysadminctl -deleteUser ${lib.escapeShellArg "created.user"}" ${config.out}/activate
+    grep -qv "sysadminctl -deleteUser ${lib.escapeShellArg "created.user"}" ${config.out}/activate
 
     # checking user properties always get updated in /activate
     grep "dscl . -create '/Users/foo' UserShell ${lib.escapeShellArg "/run/current-system/sw/bin/bash"}" ${config.out}/activate
 
     # checking user deletion in /activate
-    grep "sysadminctl -deleteUser 'deleted.user'" ${config.out}/activate
+    grep "sysadminctl -deleteUser ${lib.escapeShellArg "deleted.user"}" ${config.out}/activate
     grep -qv "sysadminctl -addUser 'deleted.user'" ${config.out}/activate
 
     # checking unknown user in /activate
     grep -qv "sysadminctl -addUser 'unknown.user'" ${config.out}/activate
-    grep -qv "sysadminctl -deleteUser 'unknown.user'" ${config.out}/activate
+    grep -qv "sysadminctl -deleteUser ${lib.escapeShellArg "unknown.user"}" ${config.out}/activate
 
     set +v
   '';