diff --git a/apache/vhosts/standard.sls b/apache/vhosts/standard.sls
index 5ccd137df9be11802aa5eb90a1d8d7a5d4b40b5c..678f3deeca8a6e28af6ecd96a7e4957a282d994b 100644
--- a/apache/vhosts/standard.sls
+++ b/apache/vhosts/standard.sls
@@ -24,9 +24,10 @@ include:
 {% if site.get('DocumentRoot') != False %}
 {{ id }}-documentroot:
   file.directory:
-    - unless: test -d {{ documentroot }}
     - name: {{ documentroot }}
     - makedirs: True
+    - user: {{ site.get('DocumentRootUser', apache.get('document_root_user'))|json }}
+    - group: {{ site.get('DocumentRootGroup', apache.get('document_root_group'))|json }}
     - allow_symlink: True
 {% endif %}
 
diff --git a/pillar.example b/pillar.example
index d14304fb9f9cecbbdf7b52ed0cf438d939f3b2b9..5eb5cf25e72fc6555d026f4df3ed3f09ee6f7e59 100644
--- a/pillar.example
+++ b/pillar.example
@@ -26,6 +26,11 @@ apache:
     # Default value for AddDefaultCharset in RedHat configuration
     default_charset: 'UTF-8'
 
+    # Should we enforce DocumentRoot user/group?
+    # Default: do not enforce
+    document_root_user: www-data   # Force user if specified, leave it default if not
+    document_root_group: null      # Do not enforce group
+
   global:
     # global apache directives
     AllowEncodedSlashes: 'On'
@@ -71,6 +76,8 @@ apache:
       CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log
 
       DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
+      DocumentRootUser: null       # do not enforce user, defaults to lookup:document_root_user
+      DocumentRootGroup: www-data  # Force group, defaults to lookup:document_root_group
 
       SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
       SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file