diff --git a/CHANGELOG.md b/CHANGELOG.md
index 15ba229..f72b04a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@ Which is based on [Keep A Changelog](http://keepachangelog.com/)
 
 ## [Unreleased]
 - breaking: remove support for ansible 2.5
+- feat: remove unused users in init
 - feat: install database if datadir doesn't exist
 
 ## [v1.0.1] - 2019-03-16
diff --git a/tasks/initdb.yml b/tasks/initdb.yml
index 3515c29..127a36c 100644
--- a/tasks/initdb.yml
+++ b/tasks/initdb.yml
@@ -35,3 +35,29 @@
   command: 'mysqladmin -u root password {{ mariadb_password }}'
   when: True
   tags: mariadb
+
+- name: remove anonymous users
+  mysql_user:
+    name: ''
+    host_all: yes
+    state: absent
+    login_user: '{{ mariadb_user }}'
+    login_password: '{{ mariadb_password }}'
+  no_log: true
+  tags: mariadb
+
+- name: remove root user without password
+  mysql_user:
+    name: root
+    host: '{{ item }}'
+    state: absent
+    login_user: '{{ mariadb_user }}'
+    login_password: '{{ mariadb_password }}'
+  loop:
+    - 127.0.0.1
+    - '::1'
+    - '{{ ansible_nodename }}'
+  no_log: true
+  tags: mariadb
+
+
diff --git a/tasks/main.yml b/tasks/main.yml
index af57bc5..1aae5b7 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -37,18 +37,6 @@
     enabled: yes
   tags: mariadb
 
-- name: remove anonymous users
-  mysql_user:
-    name: ''
-    host_all: yes
-    state: absent
-    login_user: '{{ mariadb_user }}'
-    login_password: '{{ mariadb_password }}'
-  run_once: true
-  no_log: true
-  when: mariadb_master
-  tags: mariadb
-
 - name: manage users
   mysql_user:
     name: '{{ item.name }}'
diff --git a/test/integration/default/serverspec/default_spec.rb b/test/integration/default/serverspec/default_spec.rb
index bbc42c5..38492d4 100644
--- a/test/integration/default/serverspec/default_spec.rb
+++ b/test/integration/default/serverspec/default_spec.rb
@@ -45,11 +45,16 @@ describe command('mysql -uroot -psecret -e "show databases"') do
   its(:stdout) { should contain 'test' }
 end
 
-describe command('mysql -uroot -psecret -e "select user, host from mysql.user"') do
+describe command('mysql -uroot -psecret -e "select user, host, password from mysql.user"') do
   its(:exit_status) { should eq 0 }
   its(:stdout) { should contain(/toto.*%/) }
 end
 
+describe command('mysql -uroot -psecret -e "select count(*) from mysql.user where user=\'root\'"') do
+  its(:exit_status) { should eq 0 }
+  its(:stdout) { should contain('1') }
+end
+
 describe command('mysql -uroot -psecret -e "show grants for toto@\'%\'"') do
   its(:exit_status) { should eq 0 }
   its(:stdout) do