diff --git a/internal/db/user.go b/internal/db/user.go
index f2b6635a..9e8ee3fc 100644
--- a/internal/db/user.go
+++ b/internal/db/user.go
@@ -2,6 +2,7 @@ package db
 
 import (
 	"encoding/base64"
+	"fmt"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/pkg/utils"
 	"github.com/go-webauthn/webauthn/webauthn"
@@ -140,3 +141,13 @@ func UpdateUserBasePathPrefix(oldPath, newPath string) ([]string, error) {
 
 	return modifiedUsernames, nil
 }
+
+func CountUsersByRoleAndEnabledExclude(roleID uint, excludeUserID uint) (int64, error) {
+	var count int64
+	jsonValue := fmt.Sprintf("[%d]", roleID)
+	err := db.Model(&model.User{}).
+		Where("disabled = ? AND id != ?", false, excludeUserID).
+		Where("JSON_CONTAINS(role, ?)", jsonValue).
+		Count(&count).Error
+	return count, err
+}
diff --git a/internal/op/role.go b/internal/op/role.go
index e0f2dc75..b312f8c7 100644
--- a/internal/op/role.go
+++ b/internal/op/role.go
@@ -97,8 +97,12 @@ func UpdateRole(r *model.Role) error {
 	if err != nil {
 		return err
 	}
-	if old.Name == "admin" || old.Name == "guest" {
+	switch old.Name {
+	case "admin":
 		return errs.ErrChangeDefaultRole
+
+	case "guest":
+		r.Name = "guest"
 	}
 	for i := range r.PermissionScopes {
 		r.PermissionScopes[i].Path = utils.FixAndCleanPath(r.PermissionScopes[i].Path)
diff --git a/internal/op/user.go b/internal/op/user.go
index 30b9d0e6..942daae6 100644
--- a/internal/op/user.go
+++ b/internal/op/user.go
@@ -165,3 +165,11 @@ func DelUserCache(username string) error {
 	userCache.Del(username)
 	return nil
 }
+
+func CountEnabledAdminsExcluding(userID uint) (int64, error) {
+	adminRole, err := GetRoleByName("admin")
+	if err != nil {
+		return 0, err
+	}
+	return db.CountUsersByRoleAndEnabledExclude(adminRole.ID, userID)
+}
diff --git a/server/handles/role.go b/server/handles/role.go
index 1bf7d499..0d071c9f 100644
--- a/server/handles/role.go
+++ b/server/handles/role.go
@@ -66,9 +66,13 @@ func UpdateRole(c *gin.Context) {
 		common.ErrorResp(c, err, 500, true)
 		return
 	}
-	if role.Name == "admin" || role.Name == "guest" {
+	switch role.Name {
+	case "admin":
 		common.ErrorResp(c, errs.ErrChangeDefaultRole, 403)
 		return
+
+	case "guest":
+		req.Name = "guest"
 	}
 	if err := op.UpdateRole(&req); err != nil {
 		common.ErrorResp(c, err, 500, true)
diff --git a/server/handles/user.go b/server/handles/user.go
index b729d117..d5eebba4 100644
--- a/server/handles/user.go
+++ b/server/handles/user.go
@@ -83,9 +83,16 @@ func UpdateUser(c *gin.Context) {
 	if req.OtpSecret == "" {
 		req.OtpSecret = user.OtpSecret
 	}
-	if req.Disabled && req.IsAdmin() {
-		common.ErrorStrResp(c, "admin user can not be disabled", 400)
-		return
+	if req.Disabled && user.IsAdmin() {
+		count, err := op.CountEnabledAdminsExcluding(user.ID)
+		if err != nil {
+			common.ErrorResp(c, err, 500)
+			return
+		}
+		if count == 0 {
+			common.ErrorStrResp(c, "at least one enabled admin must be kept", 400)
+			return
+		}
 	}
 	if err := op.UpdateUser(&req); err != nil {
 		common.ErrorResp(c, err, 500)