diff --git a/modules/Users/actions/Save.php b/modules/Users/actions/Save.php
index e0155d7b86fd6c5077c7d933dcdc9acbe29c3894..5c5c7aecd5038c8603c3cb48614ef306f965bd3f 100644
--- a/modules/Users/actions/Save.php
+++ b/modules/Users/actions/Save.php
@@ -110,9 +110,23 @@ class Users_Save_Action extends Vtiger_Save_Action {
 	}
 
 	protected function checkRestrictedValueChange(Vtiger_Request $request) {
+		// NOTE: to be repeated in SaveAjax.php
+
 		if ($request->has('user_name') || $request->has('user_password') || $request->has('accesskey') ) {
 			// should use separate actions.
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED', $module));
+			throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
+		}
+
+		if ($request->get('field', "") == "status" || $request->has("status")) {
+			$currentUserModel = Users_Record_Model::getCurrentUserModel();
+			// only admin (not self) can change status.
+			if (!$currentUserModel->isAdminUser()) {
+				throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
+			}
+			$recordId = $request->get('record');
+			if ($recordId == $currentUserModel->getId()) {
+				throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
+			}
 		}
 	}
 
diff --git a/modules/Users/actions/SaveAjax.php b/modules/Users/actions/SaveAjax.php
index e136a1c8abe2c8a4a3efe0b639965c33b2df66ab..485a092d34a9e622802b1122d23919178f3ce2f1 100644
--- a/modules/Users/actions/SaveAjax.php
+++ b/modules/Users/actions/SaveAjax.php
@@ -44,14 +44,29 @@ class Users_SaveAjax_Action extends Vtiger_SaveAjax_Action {
 	}
 
 	protected function checkRestrictedValueChange(Vtiger_Request $request) {
+		// NOTE: to be repeated in Save.php
+		
 		if ($request->has('user_name') || $request->has('user_password') || $request->has('accesskey') ) {
 			// should use separate actions.
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED', $module));
+			throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
 		}
 		if ($request->has('field') && in_array($request->get('field'), array('user_name', 'user_password', 'accesskey'))) {
 			// should use separate actions.
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED', $module));
+			throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
 		}
+
+		if ($request->get('field', "") == "status" || $request->has("status")) {
+			$currentUserModel = Users_Record_Model::getCurrentUserModel();
+			// only admin (not self) can change status.
+			if (!$currentUserModel->isAdminUser()) {
+				throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
+			}
+			$recordId = $request->get('record');
+			if ($recordId == $currentUserModel->getId()) {
+				throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
+			}
+		}
+
 	}
 	
 	public function process(Vtiger_Request $request) {