diff --git a/keyserver/src/updaters/thread-updaters.js b/keyserver/src/updaters/thread-updaters.js
--- a/keyserver/src/updaters/thread-updaters.js
+++ b/keyserver/src/updaters/thread-updaters.js
@@ -76,13 +76,14 @@
     throw new ServerError('not_logged_in');
   }
 
-  const [memberIDs, hasPermission] = await Promise.all([
+  const [memberIDs, hasPermission, fetchThreadResult] = await Promise.all([
     verifyUserIDs(request.memberIDs),
     checkThreadPermission(
       viewer,
       request.threadID,
       threadPermissions.CHANGE_ROLE,
     ),
+    fetchThreadInfos(viewer, SQL`t.id = ${request.threadID}`),
   ]);
   if (memberIDs.length === 0) {
     throw new ServerError('invalid_parameters');
@@ -91,6 +92,21 @@
     throw new ServerError('invalid_credentials');
   }
 
+  const threadInfo = fetchThreadResult.threadInfos[request.threadID];
+
+  const memberRole = threadInfo.members.find(
+    member => member.id === request.memberIDs[0],
+  )?.role;
+
+  const memberRoleCount = threadInfo.members.filter(
+    member => member.role === memberRole,
+  ).length;
+  const memberRoleName = memberRole && threadInfo.roles[memberRole].name;
+
+  if (memberRoleName === 'Admins' && memberRoleCount === 1) {
+    throw new ServerError('invalid_parameters');
+  }
+
   const query = SQL`
     SELECT user, role
     FROM memberships