diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix
index ab85eed34eea..48722af7332a 100644
--- a/nixos/modules/services/security/kanidm.nix
+++ b/nixos/modules/services/security/kanidm.nix
@@ -139,6 +139,9 @@ let
 
   filterPresent = filterAttrs (_: v: v.present);
 
+  filterMemberless = filterAttrs (_: v: v.present && v.memberless);
+  filterMemberful = filterAttrs (_: v: v.present && !v.memberless);
+
   provisionStateJson = pkgs.writeText "provision-state.json" (
     builtins.toJSON { inherit (cfg.provision) groups persons systems; }
   );
@@ -442,6 +445,12 @@ in
                 apply = unique;
                 default = [ ];
               };
+
+              memberless = mkOption {
+                description = "Whether this group is considered memberless, i.e. the list of members is managed imperatively.";
+                type = types.bool;
+                default = false;
+              };
             };
             config.members = concatLists (
               flip mapAttrsToList cfg.provision.persons (
@@ -757,10 +766,18 @@ in
         person: personCfg:
         assertGroupsKnown "services.kanidm.provision.persons.${person}.groups" personCfg.groups
       )
-      ++ flip mapAttrsToList (filterPresent cfg.provision.groups) (
+      ++ flip mapAttrsToList (filterMemberful cfg.provision.groups) (
         group: groupCfg:
         assertEntitiesKnown "services.kanidm.provision.groups.${group}.members" groupCfg.members
       )
+      ++ lib.flip lib.mapAttrsToList (filterMemberless cfg.provision.groups) (
+        group: groupCfg: {
+          assertion = cfg.provision.enable -> groupCfg.members == [ ];
+          message = ''
+            services.kanidm.groups.${group} is declared as memberless but contains members: ${toString groupCfg.members}
+          '';
+        }
+      )
       ++ concatLists (
         flip mapAttrsToList (filterPresent cfg.provision.systems.oauth2) (
           oauth2: oauth2Cfg: