diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index e466a7798..5078ae263 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -1,6 +1,6 @@
 # Release Notes for User Sync Tool Version 2.2.1
 
-These notes apply to v2.2.1rc1 of 2017-08-28.
+These notes apply to v2.2.1 of 2017-08-30.
 
 ## New Features
 
@@ -9,16 +9,20 @@ These notes apply to v2.2.1rc1 of 2017-08-28.
 * a `str` (or `unicode` in py2) if the attribute has one value;
 * a `list` of `str` (or `unicode` in py2) if the attribute has multiple values.
 
+[#268](https://github.com/adobe-apiplatform/user-sync.py/issues/268): To make sure users get all the right overlapping entitlements associated with mapped user groups, `--strategy push` now does group removals before group adds.
+
 ## Bug Fixes
 
 [#257](https://github.com/adobe-apiplatform/user-sync.py/issues/257): Catch exceptions thrown by umapi-client when creating actions.
 
-[#258](https://github.com/adobe-apiplatform/user-sync.py/issues/258): Correctly decrypte private keys in py3.
+[#258](https://github.com/adobe-apiplatform/user-sync.py/issues/258): Correctly decrypt private keys in py3.
 
 [#260](https://github.com/adobe-apiplatform/user-sync.py/issues/260): Make sure the requests library is loaded when using pex on Windows.
 
 [#265](https://github.com/adobe-apiplatform/user-sync.py/issues/265): Extended attributes in extensions couldn't be fetched unless they had non-ascii names.
 
+[#269](https://github.com/adobe-apiplatform/user-sync.py/issues/269): When using `--strategy sync`, new users created in secondary organizations were not being added to any groups.
+
 ## Compatibility with Prior Versions
 
 There are no functional changes from prior versions.
diff --git a/tests/rules_test.py b/tests/rules_test.py
index 9def2a93d..d04840536 100644
--- a/tests/rules_test.py
+++ b/tests/rules_test.py
@@ -155,21 +155,21 @@ def mock_load_users_and_groups(groups=None, extended_attributes=None, all_users=
         user = everybody[0]
         commands = tests.helper.create_umapi_commands(user)
         commands.add_user(self.create_user_attributes_for_commands(user, rule_options['update_user_info']))
-        commands.add_groups(set([primary_group_11]))
         commands.remove_groups(set([primary_group_21]))
+        commands.add_groups(set([primary_group_11]))
         expected_primary_commands_list.append(commands)
 
         user = everybody[1]
         commands = tests.helper.create_umapi_commands(user)
         commands.add_user(self.create_user_attributes_for_commands(user, rule_options['update_user_info']))
-        commands.add_groups(set([primary_group_21]))
         commands.remove_groups(set([primary_group_11]))
+        commands.add_groups(set([primary_group_21]))
         expected_primary_commands_list.append(commands)
 
         user = everybody[2]
         commands = tests.helper.create_umapi_commands(user)
-        commands.add_user(self.create_user_attributes_for_commands(user, rule_options['update_user_info']))
         commands.remove_groups(set([primary_group_11, primary_group_21]))
+        commands.add_user(self.create_user_attributes_for_commands(user, rule_options['update_user_info']))
         expected_primary_commands_list.append(commands)
 
         expected_secondary_commands_list = []
diff --git a/user_sync/rules.py b/user_sync/rules.py
index 2bd146179..ad759d6f6 100644
--- a/user_sync/rules.py
+++ b/user_sync/rules.py
@@ -647,10 +647,10 @@ def add_umapi_user(self, user_key, groups_to_add, umapi_connectors):
         self.action_summary['adobe_users_created'] += 1
         primary_commands.add_user(attributes)
         if manage_groups:
-            primary_commands.add_groups(groups_to_add)
             if doing_push:
                 groups_to_remove = self.get_umapi_info(PRIMARY_UMAPI_NAME).get_mapped_groups() - groups_to_add
                 primary_commands.remove_groups(groups_to_remove)
+            primary_commands.add_groups(groups_to_add)
         umapi_connectors.get_primary_connector().send_commands(primary_commands)
         # add the user to secondaries, maybe with groups
         attributes['option'] = 'ignoreIfAlreadyExists'  # can only update in the owning org
@@ -662,10 +662,11 @@ def add_umapi_user(self, user_key, groups_to_add, umapi_connectors):
                 self.logger.info('Adding directory user to %s with user key: %s', umapi_name, user_key)
                 secondary_commands = self.create_commands_from_directory_user(directory_user, identity_type)
                 secondary_commands.add_user(attributes)
-                if manage_groups and doing_push:
+                if manage_groups:
+                    if doing_push:
+                        groups_to_remove = secondary_umapi_info.get_mapped_groups() - groups_to_add
+                        secondary_commands.remove_groups(groups_to_remove)
                     secondary_commands.add_groups(groups_to_add)
-                    groups_to_remove = secondary_umapi_info.get_mapped_groups() - groups_to_add
-                    secondary_commands.remove_groups(groups_to_remove)
                 umapi_connector.send_commands(secondary_commands)
 
     def update_umapi_user(self, umapi_info, user_key, umapi_connector,
diff --git a/user_sync/version.py b/user_sync/version.py
index 509e6f24e..6e911ff7c 100644
--- a/user_sync/version.py
+++ b/user_sync/version.py
@@ -18,4 +18,4 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 
-__version__ = '2.2.1rc1'
+__version__ = '2.2.1'