diff --git a/jupyterhub/roles.py b/jupyterhub/roles.py
index b79941ed..27c2c30c 100644
--- a/jupyterhub/roles.py
+++ b/jupyterhub/roles.py
@@ -23,13 +23,9 @@ def get_default_roles():
             'name': 'admin',
             'description': 'Admin privileges (currently can do everything)',
             'scopes': [
-                'all',
-                'users',
-                'users:servers',
-                'users:tokens',
                 'admin:users',
                 'admin:users:servers',
-                'groups',
+                'users:tokens',
                 'admin:groups',
                 'read:services',
                 'read:hub',
@@ -87,6 +83,7 @@ def _get_scope_hierarchy():
     scopes = {
         'self': None,
         'all': None,
+        'admin:users': ['admin:users:auth_state', 'users'],
         'users': ['read:users', 'users:activity'],
         'read:users': [
             'read:users:name',
@@ -95,12 +92,11 @@ def _get_scope_hierarchy():
         ],
         'users:activity': ['read:users:activity'],
         'users:tokens': ['read:users:tokens'],
-        'admin:users': ['admin:users:auth_state'],
-        'admin:users:servers': ['admin:users:server_state'],
-        'groups': ['read:groups'],
+        'admin:users:servers': ['admin:users:server_state', 'users:servers'],
         'users:servers': ['read:users:servers'],
         'read:users:servers': ['read:users:name'],
-        'admin:groups': None,
+        'admin:groups': ['groups'],
+        'groups': ['read:groups'],
         'read:services': None,
         'read:hub': None,
         'proxy': None,
diff --git a/jupyterhub/tests/test_roles.py b/jupyterhub/tests/test_roles.py
index 3ef14a0d..f7b644fb 100644
--- a/jupyterhub/tests/test_roles.py
+++ b/jupyterhub/tests/test_roles.py
@@ -177,6 +177,19 @@ def test_orm_roles_delete_cascade(db):
 @mark.parametrize(
     "scopes, subscopes",
     [
+        (
+            ['admin:users'],
+            {
+                'admin:users',
+                'admin:users:auth_state',
+                'users',
+                'read:users',
+                'users:activity',
+                'read:users:name',
+                'read:users:groups',
+                'read:users:activity',
+            },
+        ),
         (
             ['users'],
             {
@@ -198,7 +211,7 @@ def test_orm_roles_delete_cascade(db):
             },
         ),
         (['read:users:servers'], {'read:users:servers', 'read:users:name'}),
-        (['admin:groups'], {'admin:groups'}),
+        (['admin:groups'], {'admin:groups', 'groups', 'read:groups'}),
         (
             ['users:tokens!group=hobbits'],
             {'users:tokens!group=hobbits', 'read:users:tokens!group=hobbits'},