diff --git a/manifests/role/bastionhost.pp b/manifests/role/bastionhost.pp
index 8d141d3..915ccd5 100644
--- a/manifests/role/bastionhost.pp
+++ b/manifests/role/bastionhost.pp
@@ -8,6 +8,14 @@ class role::bastionhost::general {
     include base::firewall
     include role::backup::host
 
+    class { 'standard': has_admin => false }
+    $admin_module_path = get_module_path('admin')
+    $admin_data = loadyaml("${admin_module_path}/data/data.yaml")
+    class { 'admin':
+        groups        => keys($admin_data['groups']),
+        only_ops_sudo => true
+    }
+
     backup::set {'home': }
 
     ferm::service { 'ssh':
diff --git a/manifests/site.pp b/manifests/site.pp
index 74e046c..2ef0409 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -236,7 +236,6 @@ node 'bast1001.wikimedia.org' {
     $ganglia_aggregator = true
     role bastionhost::general
 
-    include standard
     include dsh
 }
 
@@ -246,7 +245,6 @@ node 'bast2001.wikimedia.org' {
         interface => 'eth0',
     }
     role bastionhost::general
-    include standard
 
 }
 
@@ -257,7 +255,6 @@ node 'bast4001.wikimedia.org' {
     }
 
     role bastionhost::general
-    include standard
     include role::ipmi
     include role::installserver::tftp-server
 
@@ -1109,7 +1106,6 @@ node 'hooft.esams.wikimedia.org' {
     }
     role bastionhost::general
 
-    include standard
     include role::installserver::tftp-server
 
     class { 'ganglia::monitor::aggregator':
diff --git a/modules/admin/manifests/hashgroup.pp b/modules/admin/manifests/hashgroup.pp
index 560cd10..0dba0e1 100644
--- a/modules/admin/manifests/hashgroup.pp
+++ b/modules/admin/manifests/hashgroup.pp
@@ -7,9 +7,13 @@
 #
 # [*phash*]
 #  Hash that contains valid group data
+#
+# [*only_ops_sudo*]
+#  When set to true, only the 'ops' group can have any privileges.
 
 define admin::hashgroup(
     $phash={},
+    $only_ops_sudo=false
 )
 {
 
@@ -26,9 +30,16 @@ define admin::hashgroup(
         $group_name = $name
     }
 
-    admin::group { $group_name:
-        ensure     => $gdata['ensure'],
-        gid        => $gdata['gid'],
-        privileges => $gdata['privileges'],
+    if $only_ops_sudo && $name != 'ops' {
+        admin::group { $group_name:
+            ensure     => $gdata['ensure'],
+            gid        => $gdata['gid'],
+        }
+    } else {
+        admin::group { $group_name:
+            ensure     => $gdata['ensure'],
+            gid        => $gdata['gid'],
+            privileges => $gdata['privileges'],
+        }
     }
 }
diff --git a/modules/admin/manifests/init.pp b/modules/admin/manifests/init.pp
index d38abab..2bc5e9e 100644
--- a/modules/admin/manifests/init.pp
+++ b/modules/admin/manifests/init.pp
@@ -8,10 +8,13 @@
 # [*$always_groups*]
 #  Array of valid groups to always run
 #
+# [*$only_ops_sudo*]
+#  When set to true, only the 'ops' group can have any privileges.
 
 class admin(
     $groups=[],
     $always_groups=['absent', 'ops', 'wikidev'],
+    $only_ops_sudo=false
 )
 {
     include sudo
@@ -34,8 +37,9 @@ class admin(
     }
 
     admin::hashgroup { $all_groups:
-        phash  => $data,
-        before => Admin::Hashuser[$user_set],
+        phash         => $data,
+        before        => Admin::Hashuser[$user_set],
+        only_ops_sudo => $only_ops_sudo
     }
 
     admin::hashuser { $user_set: