diff --git a/modules/system/checks.nix b/modules/system/checks.nix
index 22a4d861..d19d789e 100644
--- a/modules/system/checks.nix
+++ b/modules/system/checks.nix
@@ -44,14 +44,29 @@ let
     fi
   '';
 
+  oldBuildUsers = ''
+    if dscl . -list /Users | grep -q '^nixbld'; then
+        echo "[1;31mwarning: Detected old style nixbld users[0m" >&2
+        echo "These can cause migration problems when upgrading to certain macOS versions" >&2
+        echo "Running the installer again will remove and recreate the users in a way that avoids these problems" >&2
+        echo >&2
+        echo "$ darwin-install" >&2
+        echo >&2
+        echo "or enable to automatically manage the users" >&2
+        echo >&2
+        echo "    users.nix.configureBuildUsers = true;" >&2
+        echo >&2
+    fi
+  '';
+
   buildUsers = ''
     buildUser=$(dscl . -read /Groups/nixbld GroupMembership 2>&1 | awk '/^GroupMembership: / {print $2}') || true
     if [ -z $buildUser ]; then
         echo "[1;31merror: Using the nix-daemon requires build users, aborting activation[0m" >&2
         echo "Create the build users or disable the daemon:" >&2
-        echo "$ ./bootstrap -u" >&2
+        echo "$ darwin-install" >&2
         echo >&2
-        echo "or set" >&2
+        echo "or set (this requires some manual intervention to restore permissions)" >&2
         echo >&2
         echo "    services.nix-daemon.enable = false;" >&2
         echo >&2
@@ -200,6 +215,7 @@ in
     system.checks.text = mkMerge [
       darwinChanges
       runLink
+      oldBuildUsers
       (mkIf config.nix.useDaemon buildUsers)
       (mkIf (!config.nix.useDaemon) singleUser)
       nixStore
diff --git a/modules/users/nixbld/default.nix b/modules/users/nixbld/default.nix
index ca098800..8dadd562 100644
--- a/modules/users/nixbld/default.nix
+++ b/modules/users/nixbld/default.nix
@@ -13,9 +13,9 @@ let
   mkUsers = f: genList (x: f (x + 1)) cfg.nix.nrBuildUsers;
 
   buildUsers = mkUsers (i: {
-    name = "nixbld${toString i}";
-    uid = 30000 + i;
-    gid = 30000;
+    name = "_nixbld${toString i}";
+    uid = 300 + i;
+    gid = 300;
     description = "Nix build user ${toString i}";
   });
 
@@ -52,7 +52,7 @@ in
 
     assertions = [
       { assertion = elem "nixbld" cfg.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; }
-      { assertion = elem "nixbld1" cfg.knownUsers -> elem "nixbld1" createdUsers; message = "refusing to delete user nixbld1 in users.knownUsers, this would break nix"; }
+      { assertion = elem "_nixbld1" cfg.knownUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; }
       { assertion = cfg.groups ? "nixbld" -> cfg.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; }
     ];
 
@@ -60,7 +60,10 @@ in
     users.users = mkIf cfg.nix.configureBuildUsers (named buildUsers);
 
     users.knownGroups = mkIf cfg.nix.configureBuildUsers [ "nixbld" ];
-    users.knownUsers = mkIf cfg.nix.configureBuildUsers (mkUsers (i: "nixbld${toString i}"));
+    users.knownUsers = mkIf cfg.nix.configureBuildUsers (mkMerge [
+      (mkUsers (i: "_nixbld${toString i}"))
+      (mkUsers (i: "nixbld${toString i}"))  # delete old style nixbld users
+    ]);
 
   };
 }