diff --git a/.kitchen.yml b/.kitchen.yml
index 640af0ac..6af4a3b0 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -37,7 +37,7 @@ platforms:
 suites:
   - name: default
     run_list:
-      - recipe[consul::default]
+      - recipe[consul_spec::default]
     attributes:
       consul:
         config: &default-config
@@ -49,7 +49,7 @@ suites:
           encrypt: CGXC2NsXW4AvuB4h5ODYzQ==
   - name: git
     run_list:
-      - recipe[consul::default]
+      - recipe[consul_spec::default]
     attributes:
       consul:
         config: *default-config
@@ -59,7 +59,7 @@ suites:
       - windows-2012r2
   - name: webui
     run_list:
-      - recipe[consul::default]
+      - recipe[consul_spec::default]
     attributes:
       consul:
         config:
@@ -70,8 +70,6 @@ suites:
           encrypt: CGXC2NsXW4AvuB4h5ODYzQ==
   - name: acl
     run_list:
-      - recipe[consul::default]
-      - recipe[consul::client_gem]
       - recipe[consul_spec::acl]
     attributes:
       consul:
diff --git a/libraries/consul_definition.rb b/libraries/consul_definition.rb
index a960e92a..3bd69063 100644
--- a/libraries/consul_definition.rb
+++ b/libraries/consul_definition.rb
@@ -49,6 +49,9 @@ def to_json
               owner new_resource.user
               group new_resource.group
               mode '0755'
+              # Prevent clobbering permissions on the directory since the intent
+              # in this context is to set the permissions of the definition file
+              not_if { Dir.exist? path }
             end
           end
 
diff --git a/test/cookbooks/consul_spec/recipes/acl.rb b/test/cookbooks/consul_spec/recipes/acl.rb
index 7786a3c0..cc94f528 100644
--- a/test/cookbooks/consul_spec/recipes/acl.rb
+++ b/test/cookbooks/consul_spec/recipes/acl.rb
@@ -1,3 +1,6 @@
+include_recipe 'consul_spec::default'
+include_recipe 'consul::client_gem'
+
 package 'curl'
 
 consul_acl 'anonymous' do
diff --git a/test/cookbooks/consul_spec/recipes/consul_definition.rb b/test/cookbooks/consul_spec/recipes/consul_definition.rb
new file mode 100644
index 00000000..f403fc71
--- /dev/null
+++ b/test/cookbooks/consul_spec/recipes/consul_definition.rb
@@ -0,0 +1,22 @@
+
+# The ruby interpreter is guaranteed to exist since it's currently running.
+file "/consul_definition_check.rb" do
+  content (<<-EOF).gsub(/^ */, '')
+    #!#{RbConfig.ruby}
+    exit 0
+  EOF
+  unless node.platform?('windows')
+    owner 'root'
+    mode '0755'
+  end
+end
+
+consul_definition 'consul_definition_check' do
+  type 'check'
+  user 'root'
+  parameters(id: "consul_definition_check",
+             script: '/consul_definition_check.rb',
+             interval: '10s',
+             timeout: '10s')
+  notifies :reload, 'consul_service[consul]', :delayed
+end
diff --git a/test/cookbooks/consul_spec/recipes/consul_watch.rb b/test/cookbooks/consul_spec/recipes/consul_watch.rb
new file mode 100644
index 00000000..ee94f05f
--- /dev/null
+++ b/test/cookbooks/consul_spec/recipes/consul_watch.rb
@@ -0,0 +1,19 @@
+
+# The ruby interpreter is guaranteed to exist since it's currently running.
+file "/consul_watch_handler.rb" do
+  content (<<-EOF).gsub(/^ */, '')
+    #!#{RbConfig.ruby}
+    exit 0
+  EOF
+  unless node.platform?('windows')
+    owner 'root'
+    mode '0755'
+  end
+end
+
+consul_watch 'consul_watch_check' do
+  type 'event'
+  user 'root'
+  parameters(handler: "/consul_watch_handler.rb")
+  notifies :reload, 'consul_service[consul]', :delayed
+end
diff --git a/test/integration/default/serverspec/default_spec.rb b/test/integration/default/serverspec/default_spec.rb
index dca3e912..3b62ae52 100644
--- a/test/integration/default/serverspec/default_spec.rb
+++ b/test/integration/default/serverspec/default_spec.rb
@@ -88,4 +88,20 @@
       EOT
     end
   end
-end
\ No newline at end of file
+end
+
+describe file("#{confd_dir}/consul_definition_check.json") do
+  it { should be_file }
+  it { should be_owned_by     'root' }
+  it { should be_grouped_into 'consul' }
+
+  it { should be_mode 640 }
+end
+
+describe file("#{confd_dir}/consul_watch_check.json") do
+  it { should be_file }
+  it { should be_owned_by     'root' }
+  it { should be_grouped_into 'consul' }
+
+  it { should be_mode 640 }
+end
diff --git a/test/spec/libraries/consul_definition_spec.rb b/test/spec/libraries/consul_definition_spec.rb
index 95ef6fea..b7c4978c 100644
--- a/test/spec/libraries/consul_definition_spec.rb
+++ b/test/spec/libraries/consul_definition_spec.rb
@@ -16,6 +16,7 @@
     recipe do
       consul_definition 'redis' do
         type 'service'
+        user 'root'
         parameters(tags: %w{master}, address: '127.0.0.1', port: 6379, interval: '10s')
       end
     end
@@ -23,7 +24,7 @@
     it { is_expected.to create_directory('/etc/consul/conf.d') }
     it do
       is_expected.to create_file('/etc/consul/conf.d/redis.json')
-      .with(user: 'consul', group: 'consul', mode: '0640')
+      .with(user: 'root', group: 'consul', mode: '0640')
       .with(content: JSON.pretty_generate(
         service: {
           tags: ['master'],
@@ -40,6 +41,7 @@
     recipe do
       consul_definition 'redis' do
         type 'service'
+        user 'root'
         parameters(name: 'myredis', tags: %w{master}, address: '127.0.0.1', port: 6379, interval: '10s')
       end
     end
@@ -47,7 +49,7 @@
     it { is_expected.to create_directory('/etc/consul/conf.d') }
     it do
       is_expected.to create_file('/etc/consul/conf.d/redis.json')
-      .with(user: 'consul', group: 'consul', mode: '0640')
+      .with(user: 'root', group: 'consul', mode: '0640')
       .with(content: JSON.pretty_generate(
         service: {
           name: 'myredis',
@@ -64,6 +66,7 @@
     recipe do
       consul_definition 'web-api' do
         type 'check'
+        user 'root'
         parameters(http: 'http://localhost:5000/health', ttl: '30s')
       end
     end
@@ -71,7 +74,7 @@
     it { is_expected.to create_directory('/etc/consul/conf.d') }
     it do
       is_expected.to create_file('/etc/consul/conf.d/web-api.json')
-      .with(user: 'consul', group: 'consul', mode: '0640')
+      .with(user: 'root', group: 'consul', mode: '0640')
       .with(content: JSON.pretty_generate(
         check: {
           http: 'http://localhost:5000/health',
diff --git a/test/spec/libraries/consul_watch_spec.rb b/test/spec/libraries/consul_watch_spec.rb
index 6d8f9f7c..2cfbd0b5 100644
--- a/test/spec/libraries/consul_watch_spec.rb
+++ b/test/spec/libraries/consul_watch_spec.rb
@@ -16,6 +16,7 @@
     recipe do
       consul_watch 'foo' do
         type 'key'
+        user 'root'
         parameters(key: 'foo/bar/baz', handler: '/bin/false')
       end
     end
@@ -23,7 +24,7 @@
     it { is_expected.to create_directory('/etc/consul/conf.d') }
     it do
       is_expected.to create_file('/etc/consul/conf.d/foo.json')
-      .with(user: 'consul', group: 'consul', mode: '0640')
+      .with(user: 'root', group: 'consul', mode: '0640')
       .with(content: JSON.pretty_generate(
         {
           watches: [