diff --git a/data/templates/slapd/yunohost.schema b/data/templates/slapd/yunohost.schema
index 7da60a20c..e7398e621 100644
--- a/data/templates/slapd/yunohost.schema
+++ b/data/templates/slapd/yunohost.schema
@@ -15,6 +15,9 @@ attributetype ( 1.3.6.1.4.1.17953.9.1.3 NAME 'inheritPermission'
 attributetype ( 1.3.6.1.4.1.17953.9.1.4 NAME 'URL'
   DESC 'Yunohost application URL'
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+attributetype ( 1.3.6.1.4.1.17953.9.1.5 NAME 'isProtected'
+  DESC 'Yunohost application permission protection'
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
 # OBJECTCLASS
 # For Applications
 objectclass ( 1.3.6.1.4.1.17953.9.2.1 NAME 'groupOfNamesYnh'
@@ -25,7 +28,7 @@ objectclass ( 1.3.6.1.4.1.17953.9.2.2 NAME 'permissionYnh'
   DESC 'a Yunohost application'
   SUP top AUXILIARY
   MUST cn
-  MAY ( groupPermission $ inheritPermission $ URL ) )
+  MAY ( groupPermission $ inheritPermission $ URL $ isProtected ) )
 # For User
 objectclass ( 1.3.6.1.4.1.17953.9.2.3 NAME 'userPermissionYnh'
   DESC 'a Yunohost application'
diff --git a/src/yunohost/user.py b/src/yunohost/user.py
index fdcac658d..fdd990658 100644
--- a/src/yunohost/user.py
+++ b/src/yunohost/user.py
@@ -718,7 +718,7 @@ def user_group_update(operation_logger, groupname, add=None, remove=None, force=
 
     new_group_dns = ["uid=" + user + ",ou=users,dc=yunohost,dc=org" for user in new_group]
 
-    if set(new_group) != set(current_group):
+    if set(new_group) != set(current_group) or True:
         operation_logger.start()
         ldap = _get_ldap_interface()
         try: