diff --git a/openssh-server-systemd-sysusers.conf b/openssh-server-systemd-sysusers.conf
new file mode 100644
index 0000000..419c529
--- /dev/null
+++ b/openssh-server-systemd-sysusers.conf
@@ -0,0 +1,2 @@
+#Type Name ID  GECOS                     Home directory        Shell
+u     sshd 74  "Privilege-separated SSH" /usr/share/empty.sshd -
diff --git a/openssh-systemd-sysusers.conf b/openssh-systemd-sysusers.conf
new file mode 100644
index 0000000..1192c0b
--- /dev/null
+++ b/openssh-systemd-sysusers.conf
@@ -0,0 +1,2 @@
+#Type Name     ID
+g     ssh_keys 101
diff --git a/openssh.spec b/openssh.spec
index 810da66..aed1b1c 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -7,10 +7,6 @@
 
 %global _hardened_build 1
 
-# OpenSSH privilege separation requires a user & group ID
-%global sshd_uid    74
-%global sshd_gid    74
-
 # Do we want to disable building of gnome-askpass? (1=yes 0=no)
 %global no_gnome_askpass 0
 
@@ -76,6 +72,8 @@ Source12: sshd-keygen@.service
 Source13: sshd-keygen
 Source15: sshd-keygen.target
 Source16: ssh-agent.service
+Source17: openssh-systemd-sysusers.conf
+Source18: openssh-server-systemd-sysusers.conf
 
 #https://bugzilla.mindrot.org/show_bug.cgi?id=2581
 Patch100: openssh-6.7p1-coverity.patch
@@ -652,6 +650,8 @@ install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
 install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
 install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
 install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
+install -p -D -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/openssh.conf
+install -p -D -m 0644 %{SOURCE18} %{buildroot}%{_sysusersdir}/openssh-server.conf
 
 %if ! %{no_gnome_askpass}
 install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
@@ -680,13 +680,10 @@ install -m 755 -d $RPM_BUILD_ROOT%{_libdir}/sshtest/
 install -m 755 regress/misc/sk-dummy/sk-dummy.so $RPM_BUILD_ROOT%{_libdir}/sshtest
 
 %pre
-getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :
+%sysusers_create_compat %{SOURCE17}
 
 %pre server
-getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || :
-getent passwd sshd >/dev/null || \
-  useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
-  -s /sbin/nologin -r -d /usr/share/empty.sshd sshd 2> /dev/null || :
+%sysusers_create_compat %{SOURCE18}
 
 %post server
 %systemd_post sshd.service sshd.socket
@@ -724,6 +721,7 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %dir %{_libexecdir}/openssh
 %attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
 %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
+%attr(0644,root,root) %{_sysusersdir}/openssh.conf
 
 %files clients
 %attr(0755,root,root) %{_bindir}/ssh
@@ -769,6 +767,7 @@ test -f %{sysconfig_anaconda} && \
 %attr(0644,root,root) %{_unitdir}/sshd.socket
 %attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
 %attr(0644,root,root) %{_unitdir}/sshd-keygen.target
+%attr(0644,root,root) %{_sysusersdir}/openssh-server.conf
 
 %files keycat
 %doc HOWTO.ssh-keycat
@@ -798,6 +797,8 @@ test -f %{sysconfig_anaconda} && \
   Resolves: RHEL-4734
 - Limit artificial delays in sshd while login using AD user
   Resolves: RHEL-2469
+- Move users/groups creation logic to sysusers.d fragments
+  Resolves: RHEL-5222
 
 * Thu Jul 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-34
 - Avoid remote code execution in ssh-agent PKCS#11 support