diff --git a/apache/vhosts/standard.sls b/apache/vhosts/standard.sls
index 0480a26fb0b905a8b913da8f3b854b850e1531cc..678f3deeca8a6e28af6ecd96a7e4957a282d994b 100644
--- a/apache/vhosts/standard.sls
+++ b/apache/vhosts/standard.sls
@@ -26,12 +26,8 @@ include:
   file.directory:
     - name: {{ documentroot }}
     - makedirs: True
-{% if site.get('DocumentRootUser') %}
-    - user: {{ site.DocumentRootUser }}
-{% endif %}
-{% if site.get('DocumentRootGroup') %}
-    - group: {{ site.DocumentRootGroup }}
-{% endif %}
+    - user: {{ site.get('DocumentRootUser', apache.get('document_root_user'))|json }}
+    - group: {{ site.get('DocumentRootGroup', apache.get('document_root_group'))|json }}
     - allow_symlink: True
 {% endif %}
 
diff --git a/pillar.example b/pillar.example
index 9d8330bfa2e00c63a6035425367a3b54cfad1af7..5eb5cf25e72fc6555d026f4df3ed3f09ee6f7e59 100644
--- a/pillar.example
+++ b/pillar.example
@@ -26,6 +26,11 @@ apache:
     # Default value for AddDefaultCharset in RedHat configuration
     default_charset: 'UTF-8'
 
+    # Should we enforce DocumentRoot user/group?
+    # Default: do not enforce
+    document_root_user: www-data   # Force user if specified, leave it default if not
+    document_root_group: null      # Do not enforce group
+
   global:
     # global apache directives
     AllowEncodedSlashes: 'On'
@@ -71,8 +76,8 @@ apache:
       CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log
 
       DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
-      DocumentRootUser: www-data   # Force user if specified, leave it default if not
-      DocumentRootGroup: www-data  # Force group if specified, leave it default if not
+      DocumentRootUser: null       # do not enforce user, defaults to lookup:document_root_user
+      DocumentRootGroup: www-data  # Force group, defaults to lookup:document_root_group
 
       SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
       SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file