diff --git a/uffd/role/utils.py b/uffd/role/utils.py
new file mode 100644
index 0000000000000000000000000000000000000000..2a7610bffe021e8702ca17e8200bda1b2c713c30
--- /dev/null
+++ b/uffd/role/utils.py
@@ -0,0 +1,7 @@
+from uffd.role.models import Role
+
+def recalculate_user_groups(user):
+	usergroups = set()
+	for role in Role.get_for_user(user).all():
+		usergroups.update(role.group_dns())
+	user.replace_group_dns(usergroups)
diff --git a/uffd/role/views.py b/uffd/role/views.py
index 4a35e875af0ba17e33e1eb9c5a3cc0e469e22536..a60465bf0f999fd298ef58f93473c744bf010a1f 100644
--- a/uffd/role/views.py
+++ b/uffd/role/views.py
@@ -3,6 +3,7 @@ from flask import Blueprint, render_template, request, url_for, redirect, flash,
 from uffd.navbar import register_navbar
 from uffd.csrf import csrf_protect
 from uffd.role.models import Role
+from uffd.role.utils import recalculate_user_groups
 from uffd.user.models import Group
 from uffd.session import get_current_user, login_required, is_valid_session
 from uffd.database import db
@@ -59,10 +60,7 @@ def update(roleid=False):
 
 	members = role.member_ldap()
 	for user in members:
-		usergroups = set()
-		for role in Role.get_for_user(user).all():
-			usergroups.update(role.group_dns())
-		user.replace_group_dns(usergroups)
+		recalculate_user_groups(user)
 		if not user.to_ldap():
 			flash('updating group membership for user {} failed'.format(user.loginname))
 
diff --git a/uffd/user/views_user.py b/uffd/user/views_user.py
index 755929b6d166bef429a324568e8412bd6f622b5c..5e04422cb5a2cff7edacf3a375d33e720f9d1cf6 100644
--- a/uffd/user/views_user.py
+++ b/uffd/user/views_user.py
@@ -9,6 +9,7 @@ from uffd.selfservice import send_passwordreset
 from uffd.ldap import get_conn, escape_filter_chars
 from uffd.session import login_required, is_valid_session, get_current_user
 from uffd.role.models import Role
+from uffd.role.utils import recalculate_user_groups
 from uffd.database import db
 
 from .models import User
@@ -92,10 +93,9 @@ def update(uid=False):
 		else:
 			flash('User updated')
 
-		usergroups = set()
-		for role in Role.get_for_user(user).all():
-			usergroups.update(role.group_dns())
-		user.replace_group_dns(usergroups)
+		recalculate_user_groups(user)
+		if not user.to_ldap():
+			flash('updating group membership for user {} failed'.format(user.loginname))
 		session.commit()
 	else:
 		flash('Error updating user: {}'.format(conn.result['message']))