Index: server/test/ome/server/itests/AbstractManagedContextTest.java
===================================================================
--- server/test/ome/server/itests/AbstractManagedContextTest.java	(revision 1027)
+++ server/test/ome/server/itests/AbstractManagedContextTest.java	(working copy)
@@ -22,6 +22,7 @@
 import ome.api.local.LocalQuery;
 import ome.api.local.LocalUpdate;
 import ome.model.meta.Experimenter;
+import ome.model.meta.ExperimenterGroup;
 import ome.security.SecuritySystem;
 import ome.system.OmeroContext;
 import ome.system.Principal;
@@ -112,7 +113,12 @@
     	e.setFirstName("New");
     	e.setLastName("User");
     	e.setOmeName(uuid);
-    	iAdmin.createUser(e);
+    	e = new Experimenter( iAdmin.createUser(e), false );
+    	ExperimenterGroup g = new ExperimenterGroup();
+    	g.setName(uuid);
+    	g = new ExperimenterGroup( iAdmin.createGroup(g), false );
+    	iAdmin.addGroups(e,g);
+    	iAdmin.setDefaultGroup(e, g);
     	loginUser(uuid);
     }
     
Index: server/src/ome/security/basic/BasicSecuritySystem.java
===================================================================
--- server/src/ome/security/basic/BasicSecuritySystem.java	(revision 1032)
+++ server/src/ome/security/basic/BasicSecuritySystem.java	(working copy)
@@ -69,6 +69,7 @@
 import ome.model.meta.ExperimenterGroup;
 import ome.model.meta.ExternalInfo;
 import ome.model.meta.GroupExperimenterMap;
+import ome.parameters.Parameters;
 import ome.security.ACLVoter;
 import ome.security.AdminAction;
 import ome.security.SecureAction;
@@ -1032,7 +1033,8 @@
 		}
 	}
 
-	private Principal clearAndCheckPrincipal() {
+	private Principal clearAndCheckPrincipal() 
+	{
 		// clear even if this fails. (make SecuritySystem unusable)
 		cd.clear();
 		
@@ -1053,6 +1055,35 @@
 		if (p.getEventType() == null)
 			throw new InternalException(
 					"Principal.eventType is null in EventContext. Security system failure.");
+		
+		// ticket:404 -- preventing users from logging into "user" group
+		if ( roles.getUserGroupName().equals( p.getGroup() ))
+		{
+			List<ExperimenterGroup> groups = 
+			sf.getQueryService().findAllByQuery(
+					"select g from ExperimenterGroup g " +
+					"join g.groupExperimenterMap as m " +
+					"join m.child as u " +
+					"where g.name  != :userGroup and " +
+					"u.omeName = :userName",
+					new Parameters()
+					.addString("userGroup",roles.getUserGroupName())
+					.addString("userName", p.getName()));
+			
+			if ( groups.size() != 1 )
+			{
+				throw new SecurityViolation(String.format(
+						"User %s attempted to login to user group \"%s\". When " +
+						"doing so, there must be EXACTLY one default group for " +
+						"that user and not %d", p.getName(), 
+						roles.getUserGroupName(), groups.size()));
+			}
+			
+			final Principal updated = new Principal(
+					p.getName(),groups.get(0).getName(),p.getEventType());
+			principalHolder.set( p );
+			return updated;
+		}
 		return p;
 	}
 	
Index: server/src/ome/tools/hibernate/HibernateUtils.java
===================================================================
--- server/src/ome/tools/hibernate/HibernateUtils.java	(revision 1027)
+++ server/src/ome/tools/hibernate/HibernateUtils.java	(working copy)
@@ -166,16 +166,23 @@
 			if ( t.isCollectionType() && null == currentState[i] )
 			{
 				Object previous = previousState[i];
-				if ( ! (previous instanceof Collection) ) // implies not null
+				if ( previous == null )
 				{
+					// ignore. If the system gave it to us, it can handle it.
+				}
+				else if ( ! (previous instanceof Collection) )
+				{
 					throw new InternalException(String.format(
 							"Invalid collection found for null " +
 							"field %s in previous state for %s",
 							propertyNames[i],entity));
 				}
-				log("Copying nulled collection ",propertyNames[i]);
-				Collection copy = copy(((PersistentCollection)previous));
-				persister.setPropertyValue(entity,i,copy,source.getEntityMode());
+				else 
+				{
+					log("Copying nulled collection ",propertyNames[i]);
+					Collection copy = copy(((PersistentCollection)previous));
+					persister.setPropertyValue(entity,i,copy,source.getEntityMode());
+				}
 			}
 		}
 	}
Index: client/build.xml
===================================================================
--- client/build.xml	(revision 1033)
+++ client/build.xml	(working copy)
@@ -56,4 +56,23 @@
                 </groovy>
         </target>
 
+        <target name="addtogroup" depends="prepare,load-groovy">
+               <groovy>
+			if (properties["omero.rootpass"]==null) ant.fail("No root password defined. See etc/local.properties");
+			e = new ome.model.meta.Experimenter()
+			g = new ome.model.meta.ExperimenterGroup()
+			user = System.getProperty("user.name")
+			println "Please enter login name: [${user}]"
+			e.omeName = System.in.readLine()
+			if (e.omeName == null || e.omeName.length() == 0) e.omeName = user
+			println "Please enter target group:"
+			g.name = System.in.readLine()
+                        l  = new ome.system.Login("root",properties["omero.rootpass"])
+                        sf = new ome.system.ServiceFactory(l)
+			e = sf.getQueryService().findByExample(e)
+			g = sf.getQueryService().findByExample(g)
+                        sf.getAdminService().addGroups(e,[g] as Object[])
+                </groovy>
+        </target>
+
 </project>