diff --git a/proxy/pkg/user/backend/cs3.go b/proxy/pkg/user/backend/cs3.go
index e754760b9..cc423ca6e 100644
--- a/proxy/pkg/user/backend/cs3.go
+++ b/proxy/pkg/user/backend/cs3.go
@@ -61,11 +61,21 @@ func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, w
 		}
 	}
 
+	// if roles are empty, assume we haven't seen the user before and assign a
+	// default user role. At least until proper roles are provided. See
+	// https://github.com/owncloud/ocis/issues/1825 for more context.
 	if len(roleIDs) == 0 {
-		roleIDs = append(roleIDs, settingsService.BundleUUIDRoleUser, settingsService.SelfManagementPermissionID)
-		// if roles are empty, assume we haven't seen the user before and assign a default user role. At least until
-		// proper roles are provided. See https://github.com/owncloud/ocis/issues/1825 for more context.
-		//return user, nil
+		if user.Id.Type == cs3.UserType_USER_TYPE_PRIMARY {
+			c.logger.Info().Str("userid", user.Id.OpaqueId).Msg("user has no role assigned, assigning default user role")
+			_, err := c.settingsRoleService.AssignRoleToUser(ctx, &settingssvc.AssignRoleToUserRequest{
+				AccountUuid: user.Id.OpaqueId,
+				RoleId:      settingsService.BundleUUIDRoleUser,
+			})
+			if err != nil {
+				c.logger.Error().Err(err).Msg("Could not add default role")
+			}
+			roleIDs = append(roleIDs, settingsService.BundleUUIDRoleUser)
+		}
 	}
 
 	enc, err := encodeRoleIDs(roleIDs)
diff --git a/storage/pkg/config/defaults/defaultconfig.go b/storage/pkg/config/defaults/defaultconfig.go
index 142b05db7..7d21b8dd0 100644
--- a/storage/pkg/config/defaults/defaultconfig.go
+++ b/storage/pkg/config/defaults/defaultconfig.go
@@ -266,7 +266,7 @@ func DefaultConfig() *config.Config {
 				},
 				CommitShareToStorageGrant:  true,
 				CommitShareToStorageRef:    true,
-				DisableHomeCreationOnLogin: false,
+				DisableHomeCreationOnLogin: true,
 				ShareFolder:                "Shares",
 				LinkGrants:                 "",
 				HomeMapping:                "",