diff --git a/base/univention-system-activation/scripts/univention-system-activation b/base/univention-system-activation/scripts/univention-system-activation
index ab7427e..577a2ae 100755
--- a/base/univention-system-activation/scripts/univention-system-activation
+++ b/base/univention-system-activation/scripts/univention-system-activation
@@ -29,20 +29,21 @@
 # /usr/share/common-licenses/AGPL-3; if not, see
 # <http://www.gnu.org/licenses/>.
 
+UCR=()
+
 function ucr_string(){
-	string=""
+	UCR=()
 	for service in "gdm" "kdm" "login" "other" "sshd"; do
-		for user in "group/Administrators" "group/Domain_Admins" "user/root"; do
-			string="$string auth/$service/$user$1"
+		for user in "group/Administrators" "group/Domain Admins" "user/root"; do
+			UCR[${#UCR[@]}]="auth/$service/$user$1"
 		done
 	done
-	string="$string auth/sudo$1"
-	echo $string > /root/log
-	echo $string
+	UCR[${#UCR[@]}]="auth/sudo$1"
 }
 
 function allow_root_login() {
-	ucr unset --force $(ucr_string "")
+	ucr_string ""
+	ucr unset --force "${UCR[@]}"
 
 	# reset su restrictions
 	ucr unset --force auth/su/restrict \
@@ -51,12 +52,14 @@ function allow_root_login() {
 	# set to the default values, these values are not set
 	# during the pam installation, because they were set
 	# in the force layer
-	ucr set $(ucr_string "?yes")
+	ucr_string "?yes"
+	ucr set "${UCR[@]}"
 }
 
 function restrict_root_login() {
 	# disallow root login
-	ucr set --force $(ucr_string "=no")
+	ucr_string "=no"
+	ucr set --force "${UCR[@]}"
 
 	# disallow su
 	ucr set --force auth/su/restrict=yes \