diff --git a/packer/ansible/roles/auth/files/sudoers b/packer/ansible/roles/auth/files/sudoers
index 7ea5db9..d66b5cd 100644
--- a/packer/ansible/roles/auth/files/sudoers
+++ b/packer/ansible/roles/auth/files/sudoers
@@ -5,3 +5,5 @@ Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/b
 root	ALL=(ALL:ALL) ALL
 
 %fablab     ALL=(ALL:ALL) ALL
+
+#includedir /etc/sudoers.d
diff --git a/packer/ansible/roles/fablab/files/metalcut/metalcut.desktop b/packer/ansible/roles/fablab/files/metalcut/metalcut.desktop
new file mode 100644
index 0000000..47d76e6
--- /dev/null
+++ b/packer/ansible/roles/fablab/files/metalcut/metalcut.desktop
@@ -0,0 +1,9 @@
+[Desktop Entry]
+Name=MetalCut
+GenericName=MetalCut
+Comment=Laser Cutter Job Control Application
+Exec=x-terminal-emulator -e 'sudo /usr/local/bin/metalcut'
+Icon=/usr/share/metalcut/metalcut.svg
+Terminal=false
+Type=Application
+Categories=Graphics
diff --git a/packer/ansible/roles/fablab/tasks/metalcut.yml b/packer/ansible/roles/fablab/tasks/metalcut.yml
index db833be..15f23cb 100644
--- a/packer/ansible/roles/fablab/tasks/metalcut.yml
+++ b/packer/ansible/roles/fablab/tasks/metalcut.yml
@@ -14,10 +14,45 @@
     group: root
     mode: "0644"
 
-- name: add metalcut to applications menu
+- name: add metalcut script
   template:
-    src: metalcut/metalcut.desktop.j2
+    src: metalcut/metalcut.sh.j2
+    dest: /usr/local/bin/metalcut
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: add metalcut to applications menu
+  copy:
+    src: metalcut/metalcut.desktop
     dest: /usr/share/applications/metalcut.desktop
     owner: root
     group: root
     mode: "0644"
+
+- name: add group
+  group:
+    name: metalcut
+    system: yes
+
+- name: add sudoers config
+  copy:
+    content: "%metalcut  ALL=/usr/local/bin/metalcut, NOPASSWD:/usr/local/bin/metalcut\n"
+    dest: /etc/sudoers.d/metalcut
+    owner: root
+    group: root
+    mode: "0644"
+
+- name: ensure guest-account settings directory exists
+  file:
+    path: /etc/guest-account
+    state: directory
+    mode: "0755"
+    owner: root
+    group: root
+
+- name: add metalcut group to guest account
+  lineinfile:
+    path: /etc/guest-account/groups
+    line: metalcut
+    create: yes
diff --git a/packer/ansible/roles/fablab/templates/metalcut/metalcut.desktop.j2 b/packer/ansible/roles/fablab/templates/metalcut/metalcut.desktop.j2
deleted file mode 100644
index 95914d5..0000000
--- a/packer/ansible/roles/fablab/templates/metalcut/metalcut.desktop.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-[Desktop Entry]
-Name=MetalCut
-GenericName=MetalCut
-Comment=Laser Cutter Job Control Application
-Exec=sh -c 'docker run --rm -v /tmp/.X11-unix:/tmp/.X11-unix -e DISPLAY -e uid=$(id -u) -e gid=$(id -g) -v "$HOME:/home/metalcut/work" -e remote={{ fablab.metalcut.socket }} {{ fablab.metalcut.dockerimage }}'
-Icon=/usr/share/metalcut/metalcut.svg
-Terminal=false
-Type=Application
-Categories=Graphics
-
-
diff --git a/packer/ansible/roles/fablab/templates/metalcut/metalcut.sh.j2 b/packer/ansible/roles/fablab/templates/metalcut/metalcut.sh.j2
new file mode 100755
index 0000000..bbee996
--- /dev/null
+++ b/packer/ansible/roles/fablab/templates/metalcut/metalcut.sh.j2
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+remote='{{ fablab.metalcut.socket }}'
+image='{{ fablab.metalcut.dockerimage }}'
+
+if [ ! -z "$SUDO_COMMAND" ] && [ "$SUDO_COMMAND" = "$0" ]; then
+	home="$(getent passwd "$SUDO_USER" | cut -d: -f6)"
+	uid="$SUDO_UID"
+	gid="$SUDO_GID"
+else
+	home="$HOME"
+	uid=$(id -u)
+	gid=$(id -g)
+fi
+
+docker run \
+	--rm \
+	-v /tmp/.X11-unix:/tmp/.X11-unix \
+	-e DISPLAY \
+	-e uid="$uid" \
+	-e gid="$gid" \
+	-v "$HOME:$home" \
+	-e remote="$remote" \
+	$image
diff --git a/packer/ansible/roles/windowmanager/files/guest-account.sh b/packer/ansible/roles/windowmanager/files/guest-account.sh
index 38c2cc7..968fa5c 100644
--- a/packer/ansible/roles/windowmanager/files/guest-account.sh
+++ b/packer/ansible/roles/windowmanager/files/guest-account.sh
@@ -21,6 +21,11 @@ if [ -f /etc/default/locale ]; then
   export LANG LANGUAGE
 fi
 
+# read list of supplementary groups of the guest account from file
+if [ -f /etc/guest-account/groups ]; then
+  GROUPS="$(cat /etc/guest-account/groups)"
+fi
+
 is_system_user ()
 {
   UID_MIN=$(cat /etc/login.defs | grep UID_MIN | awk '{print $2}')
@@ -45,6 +50,9 @@ add_account ()
     }
     rmdir "${temp_home}"
   fi
+  if [ "${GROUPS}" != "" ]; then
+	GROUPS="--groups ${GROUPS}"
+  fi
 
   # if ${GUEST_USER} already exists, it must be a locked system account with no existing
   # home directory
@@ -74,7 +82,7 @@ add_account ()
     fi
   else
     # does not exist, so create it
-    useradd --system --home-dir ${GUEST_HOME} --comment $(gettext "Guest") --user-group --shell /bin/bash ${GUEST_USER} || {
+    useradd --system --home-dir ${GUEST_HOME} --comment $(gettext "Guest") --user-group --shell /bin/bash ${GROUPS} ${GUEST_USER} || {
       rm -rf ${GUEST_HOME}
       exit 1
     }