diff --git a/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml b/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml
index 84650aa..f39ef2c 100644
--- a/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml
+++ b/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml
@@ -28,6 +28,7 @@
 - name: add dns zone
   ipa_dnszone:
     zone_name: "{{ zone_name }}"
+  become: true
 
 - name: add forward dns record
   ipa_dnsrecord:
@@ -35,6 +36,7 @@
     record_name: "{{ record_name }}"
     record_type: "{{ record_type }}"
     record_value: "{{ record_value }}"
+  become: true
 
 - name: get reverse record data
   set_fact:
@@ -59,6 +61,7 @@
   failed_when:
     - "'zone' not in reverse_zone_result"
     - "'already exists in DNS' not in reverse_zone_result.msg"
+  become: true
 
 - name: add reverse dns record
   ipa_dnsrecord:
@@ -70,3 +73,4 @@
   failed_when:
     - "'record' not in reverse_record_result"
     - "'DNS zone not found' not in reverse_record_result.msg"
+  become: true
diff --git a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml
index 69d1d02..1d89b7b 100644
--- a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml
+++ b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml
@@ -33,6 +33,7 @@
 
 - name: add main host to IPA with OTP
   when: enroll_base_server|bool
+  become: true
   block:
     - name: get host raw data and keytab info
       command: "ipa host-show --raw --all {{ base_server_fqdn }}"
diff --git a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/services.yml b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/services.yml
index 2d5c624..ff1946e 100644
--- a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/services.yml
+++ b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/services.yml
@@ -36,6 +36,7 @@
     force: true
     state: present
     validate_certs: false
+  become: true
 
 - name: add service
   ipa_service:
@@ -43,6 +44,7 @@
     force: true
     state: present
     validate_certs: false
+  become: true
   register: my_service
 
 - name: add host to managed_hosts if needed
@@ -53,3 +55,4 @@
     state: present
     hosts: "{{ my_service['host']['managedby_host'] + [ base_server_fqdn ] }}"
     validate_certs: false
+  become: true
diff --git a/tripleo_ipa/roles/tripleo_ipa_setup/tasks/get_ipa_user_keytab.yml b/tripleo_ipa/roles/tripleo_ipa_setup/tasks/get_ipa_user_keytab.yml
index d5ac629..ab29172 100644
--- a/tripleo_ipa/roles/tripleo_ipa_setup/tasks/get_ipa_user_keytab.yml
+++ b/tripleo_ipa/roles/tripleo_ipa_setup/tasks/get_ipa_user_keytab.yml
@@ -23,7 +23,7 @@
   set_fact:
     nova_service: "nova/{{ undercloud_fqdn }}"
     nova_keytab: "/etc/novajoin/krb5.keytab"
-    nova_keytab_group: "tripleo-admin"
+    nova_keytab_group: "root"
 
 - name: add directory for keytab
   file: