diff --git a/tasks/elasticsearch-parameters.yml b/tasks/elasticsearch-parameters.yml
index 0a6dce0..1ac92ff 100644
--- a/tasks/elasticsearch-parameters.yml
+++ b/tasks/elasticsearch-parameters.yml
@@ -23,6 +23,13 @@
 - fail: msg="Enabling security requires an es_api_basic_auth_username and es_api_basic_auth_password to be provided to allow cluster operations"
   when: es_enable_xpack and ("security" in es_xpack_features) and es_api_basic_auth_username is not defined and es_api_basic_auth_password is not defined
 
+- set_fact: file_reserved_users={{ es_users.file.keys() | intersect (reserved_xpack_users) }}
+  when: es_users is defined and es_users.file is defined and (es_users.file.keys() | length > 0) and (es_users.file.keys() | intersect (reserved_xpack_users) | length > 0)
+
+- fail:
+     msg: "ERROR: INVALID CONFIG - YOU CANNOT CHANGE RESERVED USERS THROUGH THE FILE REALM. THE FOLLOWING CANNOT BE CHANGED: {{file_reserved_users}}. USE THE NATIVE REALM."
+  when: file_reserved_users | default([]) | length > 0
+
 - set_fact: instance_default_file={{default_file | dirname}}/{{es_instance_name}}_{{default_file | basename}}
 - set_fact: instance_init_script={{init_script | dirname }}/{{es_instance_name}}_{{init_script | basename}}
 - set_fact: conf_dir={{ es_conf_dir }}/{{es_instance_name}}
diff --git a/tasks/elasticsearch-template.yml b/tasks/elasticsearch-template.yml
index e524043..08a97d1 100644
--- a/tasks/elasticsearch-template.yml
+++ b/tasks/elasticsearch-template.yml
@@ -8,15 +8,6 @@
   with_fileglob:
     - "{{ es_templates_fileglob | default('') }}"
 
-
-- name: Ensure elasticsearch is started
-  service: name={{instance_init_script | basename}} state=started enabled=yes
-  when: es_start_service and load_templates.changed
-
-- name: Wait for elasticsearch to startup
-  wait_for: host={{es_api_host}} port={{es_api_port}} delay=10
-  when: es_start_service and load_templates.changed
-
 - name: Install templates without auth
   uri:
     url: "http://{{es_api_host}}:{{es_api_port}}/_template/{{item | filename}}"
diff --git a/tasks/main.yml b/tasks/main.yml
index 5b3953d..c76f594 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -39,12 +39,6 @@
 
 - meta: flush_handlers
 
-#Templates done after restart - handled by flushing the handlers. e.g. suppose user removes security on a running node and doesn't specify es_api_basic_auth_username and es_api_basic_auth_password.  The templates will subsequently not be removed if we don't wait for the node to restart.
-- include: elasticsearch-template.yml
-  when: es_templates
-  tags:
-      - templates
-
 - name: Make sure elasticsearch is started
   service: name={{instance_init_script | basename}} state=started enabled=yes
   when: es_start_service
@@ -53,10 +47,17 @@
   wait_for: host={{es_api_host}} port={{es_api_port}} delay=5 connect_timeout=1
   when: es_restarted is defined and es_restarted.changed and es_start_service
 
+#perform security actions here now elasticsearch is started
+- include: ./xpack/security/elasticsearch-security-native.yml
+  when: es_start_service and (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined))
+
 - name: activate-license
   include: ./xpack/security/elasticsearch-xpack-activation.yml
   when: es_start_service and es_enable_xpack and es_xpack_license is defined and es_xpack_license != ''
 
-#perform security actions here now elasticsearch is started
-- include: ./xpack/security/elasticsearch-security-native.yml
-  when: es_start_service and (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined))
+#Templates done after restart - handled by flushing the handlers. e.g. suppose user removes security on a running node and doesn't specify es_api_basic_auth_username and es_api_basic_auth_password.  The templates will subsequently not be removed if we don't wait for the node to restart.
+#We also do after the native realm to ensure any changes are applied here first and its denf up.
+- include: elasticsearch-template.yml
+  when: es_templates
+  tags:
+      - templates
\ No newline at end of file
diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml
index d4b2f99..8d5ec13 100644
--- a/tasks/xpack/security/elasticsearch-security-file.yml
+++ b/tasks/xpack/security/elasticsearch-security-file.yml
@@ -16,41 +16,31 @@
   command: >
     {{es_home}}/bin/x-pack/users userdel {{item}}
   with_items: "{{users_to_remove | default([])}}"
-  when: manage_file_users and (users_to_remove | length > 0)
+  when: manage_file_users
   environment:
     CONF_DIR: "{{ conf_dir }}"
     ES_HOME: "{{es_home}}"
 
-- set_fact: users_to_add={{ es_users.file.keys() | difference (current_file_users.stdout_lines) | difference (reserved_xpack_users) | default([]) }}
+- set_fact: users_to_add={{ es_users.file.keys() | difference (current_file_users.stdout_lines) }}
   when: manage_file_users
 
-- set_fact: users_to_ignore={{ es_users.file.keys() | difference (current_file_users.stdout_lines) | intersect (reserved_xpack_users) }}
-  when: manage_file_users
-
-- debug:
-     msg: "WARNING: YOU CANNOT CHANGE RESERVED USERS THROUGH THE FILE REALM. THE FOLLOWING WILL BE IGNORED: {{users_to_ignore}}"
-  when: manage_file_users and users_to_ignore | length > 0
-
 #Add users
 - name: Add Users
   command: >
     {{es_home}}/bin/x-pack/users useradd {{item}} -p {{es_users.file[item].password}}
-  with_items: "{{ users_to_add }}"
-  when: manage_file_users and users_to_add | length > 0
+  with_items: "{{ users_to_add | default([]) }}"
+  when: manage_file_users
   no_log: True
   environment:
     CONF_DIR: "{{ conf_dir }}"
     ES_HOME: "{{es_home}}"
 
-- set_fact: users_to_modify={{ es_users.file.keys() | difference (reserved_xpack_users) | default([]) }}
-  when: manage_file_users
-
 #Set passwords for all users declared - Required as the useradd will not change existing user passwords
 - name: Set User Passwords
   command: >
     {{es_home}}/bin/x-pack/users passwd {{ item }} -p {{es_users.file[item].password}}
-  with_items: "{{ users_to_modify }}"
-  when: manage_file_users and users_to_modify | length > 0
+  with_items: "{{ es_users.file.keys() | default([]) }}"
+  when: manage_file_users
   #Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip.
   changed_when: False
   no_log: True
@@ -58,7 +48,7 @@
     CONF_DIR: "{{ conf_dir }}"
     ES_HOME: "{{es_home}}"
 
-- set_fact: users_roles={{es_users.file | extract_role_users (reserved_xpack_users) }}
+- set_fact: users_roles={{es_users.file | extract_role_users () }}
   when: manage_file_users
 
 #Copy Roles files
diff --git a/test/integration/issue-test.yml b/test/integration/issue-test.yml
index 303f418..1f7ef2a 100644
--- a/test/integration/issue-test.yml
+++ b/test/integration/issue-test.yml
@@ -28,10 +28,6 @@
     es_api_basic_auth_password: changeme
     es_users:
       file:
-        kibana:
-          password: changeme
-          roles:
-            - kibana_system
         test_user:
           password: changeme
           roles:
diff --git a/test/integration/xpack.yml b/test/integration/xpack.yml
index 7eecb3d..3e53349 100644
--- a/test/integration/xpack.yml
+++ b/test/integration/xpack.yml
@@ -49,11 +49,6 @@
           roles:
             - power_user
             - user
-        #testing this shouldn't be impacted through the file call
-        kibana:
-          password: this_wont_be_set
-          roles:
-            - kibana_system
     es_roles:
       file:
         admin: