diff --git a/src/routes/test/user-test.js b/src/routes/test/user-test.js
index b5f8fe570..83848a1d9 100644
--- a/src/routes/test/user-test.js
+++ b/src/routes/test/user-test.js
@@ -271,6 +271,16 @@ describe('User API', function () {
         });
     });
 
+    it('remove itself from admins fails', function (done) {
+        superagent.put(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/set_groups')
+               .query({ access_token: token })
+               .send({ groupIds: [ 'somegroupid' ] })
+               .end(function (err, res) {
+            expect(res.statusCode).to.equal(403);
+            done();
+        });
+    });
+
     it('create user missing username fails', function (done) {
         superagent.post(SERVER_URL + '/api/v1/users')
                .query({ access_token: token })
diff --git a/src/routes/user.js b/src/routes/user.js
index ff2164e2d..4282a2308 100644
--- a/src/routes/user.js
+++ b/src/routes/user.js
@@ -230,6 +230,9 @@ function setGroups(req, res, next) {
 
     if (!Array.isArray(req.body.groupIds)) return next(new HttpError(400, 'API call requires a groups array.'));
 
+    // this route is only allowed for admins, so req.user has to be an admin
+    if (req.user.id === req.params.userId && req.body.groupIds.indexOf(groups.ADMIN_GROUP_ID) === -1) return next(new HttpError(403, 'Admin removing itself from admins is not allowed'));
+
     user.setGroups(req.params.userId, req.body.groupIds, function (error) {
         if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(404, 'One or more groups not found'));
         if (error && error.reason === UserError.NOT_ALLOWED) return next(new HttpError(403, 'Last admin'));