diff --git a/src/lldap.rs b/src/lldap.rs
index 73fc66c..256ac87 100644
--- a/src/lldap.rs
+++ b/src/lldap.rs
@@ -4,7 +4,7 @@ use lldap_auth::registration::ServerRegistrationStartResponse;
 use lldap_auth::{opaque, registration};
 use reqwest::header::{HeaderMap, HeaderValue, AUTHORIZATION};
 use std::time::Duration;
-use tracing::debug;
+use tracing::{debug, trace};
 
 use cynic::http::{CynicReqwestError, ReqwestExt};
 use cynic::{GraphQlError, GraphQlResponse, MutationBuilder, QueryBuilder};
@@ -179,6 +179,43 @@ impl LldapClient {
         Ok(())
     }
 
+    pub async fn update_user_groups(&self, user: &User, needed_groups: &[String]) -> Result<()> {
+        let all_groups = self.get_groups().await?;
+
+        // TODO: Error when invalid name
+        let needed_groups: Vec<_> = needed_groups
+            .iter()
+            .filter_map(|needed_group| {
+                all_groups
+                    .iter()
+                    .find(|group| &group.display_name == needed_group)
+                    .map(|group| group.id)
+            })
+            .collect();
+
+        let current_groups: Vec<_> = user.groups.iter().map(|group| group.id).collect();
+
+        let remove = current_groups
+            .iter()
+            .filter(|group| !needed_groups.contains(group));
+        for &group in remove {
+            trace!(username = user.id, group, "Removing user from group");
+
+            self.remove_user_from_group(&user.id, group).await?;
+        }
+
+        let add = needed_groups
+            .iter()
+            .filter(|group| !current_groups.contains(group));
+        for &group in add {
+            trace!(username = user.id, group, "Adding user to group");
+
+            self.add_user_to_group(&user.id, group).await?;
+        }
+
+        Ok(())
+    }
+
     pub async fn update_password(&self, username: &str, password: &str) -> Result<()> {
         let mut rng = rand::rngs::OsRng;
         let registration_start_request =
diff --git a/src/resources.rs b/src/resources.rs
index bbf3a8e..886dcc4 100644
--- a/src/resources.rs
+++ b/src/resources.rs
@@ -218,41 +218,9 @@ impl Reconcile for ServiceUser {
             Err(err) => Err(err),
         }?;
 
-        let groups = lldap_client.get_groups().await?;
-        // TODO: Error when invalid name
-        let needed_groups: Vec<_> = self
-            .spec
-            .additional_groups
-            .iter()
-            .filter_map(|additional_group| {
-                groups
-                    .iter()
-                    .find(|group| &group.display_name == additional_group)
-                    .map(|group| group.id)
-            })
-            .collect();
-
-        let current_groups: Vec<_> = user.groups.iter().map(|group| group.id).collect();
-
-        let remove = current_groups
-            .iter()
-            .filter(|group| !needed_groups.contains(group));
-        for &group in remove {
-            trace!(name, username, group, "Removing user from group");
-
-            lldap_client
-                .remove_user_from_group(&username, group)
-                .await?;
-        }
-
-        let add = needed_groups
-            .iter()
-            .filter(|group| !current_groups.contains(group));
-        for &group in add {
-            trace!(name, username, group, "Adding user to group");
-
-            lldap_client.add_user_to_group(&username, group).await?;
-        }
+        trace!(name, "Updating groups");
+        let groups = self.spec.additional_groups.clone();
+        lldap_client.update_user_groups(&user, &groups).await?;
 
         trace!(name, "Updating password");
         let password = secret.get().data.as_ref().unwrap().get("password").unwrap();