diff --git a/guacamole/src/main/webapp/app/manage/controllers/manageUserController.js b/guacamole/src/main/webapp/app/manage/controllers/manageUserController.js
index e4a91db73..7d8397f4c 100644
--- a/guacamole/src/main/webapp/app/manage/controllers/manageUserController.js
+++ b/guacamole/src/main/webapp/app/manage/controllers/manageUserController.js
@@ -36,9 +36,11 @@ angular.module('manage').controller('manageUserController', ['$scope', '$injecto
     var $q                       = $injector.get('$q');
     var authenticationService    = $injector.get('authenticationService');
     var dataSourceService        = $injector.get('dataSourceService');
+    var membershipService        = $injector.get('membershipService');
     var permissionService        = $injector.get('permissionService');
     var requestService           = $injector.get('requestService');
     var schemaService            = $injector.get('schemaService');
+    var userGroupService         = $injector.get('userGroupService');
     var userService              = $injector.get('userService');
 
     /**
@@ -133,6 +135,46 @@ angular.module('manage').controller('manageUserController', ['$scope', '$injecto
      */
     $scope.permissionsRemoved = new PermissionSet();
 
+    /**
+     * The identifiers of all user groups which can be manipulated (all groups
+     * for which the user accessing this interface has UPDATE permission),
+     * either through adding the current user as a member or removing the
+     * current user from that group. If this information has not yet been
+     * retrieved, this will be null.
+     *
+     * @type String[]
+     */
+    $scope.availableGroups = null;
+
+    /**
+     * The identifiers of all user groups of which the user is a member,
+     * taking into account any user groups which will be added/removed when
+     * saved. If this information has not yet been retrieved, this will be
+     * null.
+     *
+     * @type String[]
+     */
+    $scope.parentGroups = null;
+
+    /**
+     * The set of identifiers of all parent user groups to which the user will
+     * be added when saved. Parent groups will only be present in this set if
+     * they are manually added, and not later manually removed before saving.
+     *
+     * @type String[]
+     */
+    $scope.parentGroupsAdded = [];
+
+    /**
+     * The set of identifiers of all parent user groups from which the user
+     * will be removed when saved. Parent groups will only be present in this
+     * set if they are manually removed, and not later manually added before
+     * saving.
+     *
+     * @type String[]
+     */
+    $scope.parentGroupsRemoved = [];
+
     /**
      * For each applicable data source, the management-related actions that the
      * current user may perform on the user account currently being created
@@ -166,6 +208,8 @@ angular.module('manage').controller('manageUserController', ['$scope', '$injecto
         return $scope.users                 !== null
             && $scope.permissionFlags       !== null
             && $scope.managementPermissions !== null
+            && $scope.availableGroups       !== null
+            && $scope.parentGroups          !== null
             && $scope.attributes            !== null;
 
     };
@@ -204,12 +248,14 @@ angular.module('manage').controller('manageUserController', ['$scope', '$injecto
     var loadExistingUser = function loadExistingUser(dataSource, username) {
         return $q.all({
             users : dataSourceService.apply(userService.getUser, dataSources, username),
-            permissions : permissionService.getPermissions(dataSource, username)
+            permissions : permissionService.getPermissions(dataSource, username),
+            parentGroups : membershipService.getUserGroups(dataSource, username)
         })
         .then(function userDataRetrieved(values) {
 
             $scope.users = values.users;
             $scope.user  = values.users[dataSource];
+            $scope.parentGroups = values.parentGroups;
 
             // Create skeleton user if user does not exist
             if (!$scope.user)
@@ -243,12 +289,15 @@ angular.module('manage').controller('manageUserController', ['$scope', '$injecto
     var loadClonedUser = function loadClonedUser(dataSource, username) {
         return $q.all({
             users : dataSourceService.apply(userService.getUser, [dataSource], username),
-            permissions : permissionService.getPermissions(dataSource, username)
+            permissions : permissionService.getPermissions(dataSource, username),
+            parentGroups : membershipService.getUserGroups(dataSource, username)
         })
         .then(function userDataRetrieved(values) {
 
             $scope.users = {};
             $scope.user  = values.users[dataSource];
+            $scope.parentGroups = values.parentGroups;
+            $scope.parentGroupsAdded = values.parentGroups;
 
             // The current user will be associated with cloneSourceUsername in the
             // retrieved permission set
@@ -274,6 +323,7 @@ angular.module('manage').controller('manageUserController', ['$scope', '$injecto
 
         // Use skeleton user object with no associated permissions
         $scope.user = new User();
+        $scope.parentGroups = [];
         $scope.permissionFlags = new PermissionFlagSet();
 
         // As no permissions are yet associated with the user, it is safe to
@@ -314,6 +364,7 @@ angular.module('manage').controller('manageUserController', ['$scope', '$injecto
     $q.all({
         userData    : loadRequestedUser(),
         permissions : dataSourceService.apply(permissionService.getEffectivePermissions, dataSources, currentUsername),
+        userGroups  : userGroupService.getUserGroups($scope.dataSource, [ PermissionSet.ObjectPermissionType.UPDATE ]),
         attributes  : schemaService.getUserAttributes($scope.dataSource)
     })
     .then(function dataReceived(values) {
@@ -326,6 +377,12 @@ angular.module('manage').controller('manageUserController', ['$scope', '$injecto
             // Determine whether data source contains this user
             var exists = (dataSource in $scope.users);
 
+            // Add the identifiers of all modifiable user groups
+            $scope.availableGroups = [];
+            angular.forEach(values.userGroups, function addUserGroupIdentifier(userGroup) {
+                $scope.availableGroups.push(userGroup.identifier);
+            });
+
             // Calculate management actions available for this specific account
             $scope.managementPermissions[dataSource] = ManagementPermissions.fromPermissionSet(
                     values.permissions[dataSource],
@@ -415,9 +472,11 @@ angular.module('manage').controller('manageUserController', ['$scope', '$injecto
                 
             }
 
-            // Upon success, save any changed permissions
-            return permissionService.patchPermissions($scope.dataSource, $scope.user.username,
-                $scope.permissionsAdded, $scope.permissionsRemoved);
+            // Upon success, save any changed permissions/groups
+            return $q.all([
+                permissionService.patchPermissions($scope.dataSource, $scope.user.username, $scope.permissionsAdded, $scope.permissionsRemoved),
+                membershipService.patchUserGroups($scope.dataSource, $scope.user.username, $scope.parentGroupsAdded, $scope.parentGroupsRemoved)
+            ]);
 
         });
 
diff --git a/guacamole/src/main/webapp/app/manage/templates/manageUser.html b/guacamole/src/main/webapp/app/manage/templates/manageUser.html
index bb5cfb388..571f5c874 100644
--- a/guacamole/src/main/webapp/app/manage/templates/manageUser.html
+++ b/guacamole/src/main/webapp/app/manage/templates/manageUser.html
@@ -56,6 +56,17 @@
               permissions-removed="permissionsRemoved">
         </system-permission-editor>
 
+        <!-- Parent group section -->
+        <identifier-set-editor
+            header="MANAGE_USER.SECTION_HEADER_USER_GROUPS"
+            empty-placeholder="MANAGE_USER.HELP_NO_USER_GROUPS"
+            unavailable-placeholder="MANAGE_USER.INFO_NO_USER_GROUPS_AVAILABLE"
+            identifiers-available="availableGroups"
+            identifiers="parentGroups"
+            identifiers-added="parentGroupsAdded"
+            identifiers-removed="parentGroupsRemoved">
+        </identifier-set-editor>
+
         <!-- Connection permissions section -->
         <connection-permission-editor ng-show="managementPermissions[dataSource].canChangePermissions"
               data-data-source="dataSource"
diff --git a/guacamole/src/main/webapp/translations/en.json b/guacamole/src/main/webapp/translations/en.json
index d55e26225..d0eaa9ad7 100644
--- a/guacamole/src/main/webapp/translations/en.json
+++ b/guacamole/src/main/webapp/translations/en.json
@@ -301,13 +301,17 @@
 
         "FIELD_PLACEHOLDER_FILTER" : "@:APP.FIELD_PLACEHOLDER_FILTER",
 
-        "INFO_READ_ONLY" : "Sorry, but this user account cannot be edited.",
+        "HELP_NO_USER_GROUPS" : "This user does not currently belong to any groups. Expand this section to add groups.",
+
+        "INFO_READ_ONLY"                : "Sorry, but this user account cannot be edited.",
+        "INFO_NO_USER_GROUPS_AVAILABLE" : "No groups available.",
 
         "SECTION_HEADER_ALL_CONNECTIONS"     : "All Connections",
         "SECTION_HEADER_CONNECTIONS"         : "Connections",
         "SECTION_HEADER_CURRENT_CONNECTIONS" : "Current Connections",
         "SECTION_HEADER_EDIT_USER"           : "Edit User",
         "SECTION_HEADER_PERMISSIONS"         : "Permissions",
+        "SECTION_HEADER_USER_GROUPS"         : "Groups",
 
         "TEXT_CONFIRM_DELETE" : "Users cannot be restored after they have been deleted. Are you sure you want to delete this user?"