diff --git a/src/users.js b/src/users.js
index 77576965e..39db93576 100644
--- a/src/users.js
+++ b/src/users.js
@@ -479,6 +479,7 @@ function setPassword(userId, newPassword, callback) {
         if (error) return callback(error);
 
         if (settings.isDemo() && user.username === constants.DEMO_USERNAME) return callback(new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode'));
+        if (user.source) return callback(new BoxError(BoxError.CONFLICT, 'User is from an external directory'));
 
         var saltBuffer = Buffer.from(user.salt, 'hex');
         crypto.pbkdf2(newPassword, saltBuffer, CRYPTO_ITERATIONS, CRYPTO_KEY_LENGTH, CRYPTO_DIGEST, function (error, derivedKey) {
@@ -535,6 +536,8 @@ function createInvite(userId, callback) {
     userdb.get(userId, function (error, userObject) {
         if (error) return callback(error);
 
+        if (userObject.source) return callback(new BoxError(BoxError.CONFLICT, 'User is from an external directory'));
+
         userObject.resetToken = hat(256);
 
         userdb.update(userId, userObject, function (error) {
@@ -553,6 +556,7 @@ function sendInvite(userId, options, callback) {
     userdb.get(userId, function (error, userObject) {
         if (error) return callback(error);
 
+        if (userObject.source) return callback(new BoxError(BoxError.CONFLICT, 'User is from an external directory'));
         if (!userObject.resetToken) return callback(new BoxError(BoxError.CONFLICT, 'Must generate resetToken to send invitation'));
 
         mailer.sendInvite(userObject, options.invitor || null);