diff --git a/modules/users/default.nix b/modules/users/default.nix
index f57dfa56..08785be8 100644
--- a/modules/users/default.nix
+++ b/modules/users/default.nix
@@ -149,19 +149,20 @@ in
       echo "setting up users..." >&2
 
       ${concatMapStringsSep "\n" (v: let
+        name = lib.escapeShellArg v.name;
         dsclUser = lib.escapeShellArg "/Users/${v.name}";
       in ''
         ${optionalString cfg.forceRecreate ''
-          u=$(id -u ${lib.escapeShellArg v.name} 2> /dev/null) || true
+          u=$(id -u ${name} 2> /dev/null) || true
           if [[ "$u" -eq ${toString v.uid} ]]; then
             echo "deleting user ${v.name}..." >&2
-            sysadminctl -deleteUser ${lib.escapeShellArg v.name} 2> /dev/null
+            sysadminctl -deleteUser ${name} 2> /dev/null
           else
             echo "[1;31mwarning: existing user '${v.name}' has unexpected uid $u, skipping...[0m" >&2
           fi
         ''}
 
-        u=$(id -u ${lib.escapeShellArg v.name} 2> /dev/null) || true
+        u=$(id -u ${name} 2> /dev/null) || true
         if [[ -n "$u" && "$u" -ne "${toString v.uid}" ]]; then
           echo "[1;31mwarning: existing user '${v.name}' has unexpected uid $u, skipping...[0m" >&2
         else
@@ -169,7 +170,7 @@ in
             echo "creating user ${v.name}..." >&2
             sysadminctl -addUser ${lib.escapeShellArgs [ v.name "-UID" v.uid "-GID" v.gid "-fullName" v.description "-home" v.home "-shell" (shellPath v.shell) ]}
             dscl . -create ${dsclUser} IsHidden ${if v.isHidden then "1" else "0"}
-            ${optionalString v.createHome "createhomedir -cu '${v.name}'"}
+            ${optionalString v.createHome "createhomedir -cu ${name}"}
           fi
           # Always set the shell path, in case it was updated
           dscl . -create ${dsclUser} UserShell ${lib.escapeShellArg (shellPath v.shell)}
diff --git a/tests/users-groups.nix b/tests/users-groups.nix
index 72c6e0c1..87babb3a 100644
--- a/tests/users-groups.nix
+++ b/tests/users-groups.nix
@@ -44,7 +44,7 @@
 
     # checking user creation in /activate
     grep "sysadminctl -addUser ${lib.escapeShellArgs [ "foo" "-UID" 42000 "-GID" 42000 "-fullName" "Foo user" "-home" "/Users/foo" "-shell" "/run/current-system/sw/bin/bash" ]}" ${config.out}/activate
-    grep "createhomedir -cu 'foo'" ${config.out}/activate
+    grep "createhomedir -cu ${lib.escapeShellArg "foo"}" ${config.out}/activate
     grep "sysadminctl -addUser ${lib.escapeShellArgs [ "created.user" "-UID" 42001 ]} .* ${lib.escapeShellArgs [ "-shell" "/sbin/nologin" ]}" ${config.out}/activate
     grep -qv "sysadminctl -deleteUser ${lib.escapeShellArg "created.user"}" ${config.out}/activate
     grep -qv "sysadminctl -deleteUser ${lib.escapeShellArg "created.user"}" ${config.out}/activate