diff --git a/src/middlewared/middlewared/plugins/account.py b/src/middlewared/middlewared/plugins/account.py
index 32c3d19c06397..346647ad567c0 100644
--- a/src/middlewared/middlewared/plugins/account.py
+++ b/src/middlewared/middlewared/plugins/account.py
@@ -676,7 +676,7 @@ def do_update(self, app, audit_callback, pk, data):
             audit_callback(username)
             raise CallError(
                 'Users provided by a directory service must be modified through the identity provider '
-                '(LDAP server or domain controller).'
+                '(LDAP server or domain controller).', errno.EPERM
             )
 
         user = self.middleware.call_sync('user.get_instance', pk)
@@ -921,7 +921,7 @@ def do_delete(self, audit_callback, pk, options):
             audit_callback(username)
             raise CallError(
                 'Users provided by a directory service must be deleted from the identity provider '
-                '(LDAP server or domain controller).'
+                '(LDAP server or domain controller).', errno.EPERM
             )
 
 
@@ -1962,7 +1962,7 @@ async def do_update(self, audit_callback, pk, data):
             audit_callback(groupname)
             raise CallError(
                 'Groups provided by a directory service must be modified through the identity provider '
-                '(LDAP server or domain controller).'
+                '(LDAP server or domain controller).', errno.EPERM
             )
 
         group = await self.get_instance(pk)
@@ -2056,7 +2056,7 @@ async def do_delete(self, audit_callback, pk, options):
             audit_callback(groupname)
             raise CallError(
                 'Groups provided by a directory service must be deleted from the identity provider '
-                '(LDAP server or domain controller).'
+                '(LDAP server or domain controller).', errno.EPERM
             )
 
         group = await self.get_instance(pk)
diff --git a/tests/api2/test_040_ad_user_group_cache.py b/tests/api2/test_040_ad_user_group_cache.py
index 12a85262f646e..13725161796ac 100644
--- a/tests/api2/test_040_ad_user_group_cache.py
+++ b/tests/api2/test_040_ad_user_group_cache.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python3
 
+import errno
 import pytest
 import sys
 import os
@@ -7,6 +8,7 @@
 sys.path.append(apifolder)
 from functions import SSH_TEST
 from auto_config import password, user
+from middlewared.service_exception import CallError
 from middlewared.test.integration.assets.directory_service import active_directory
 from middlewared.test.integration.utils import call
 
@@ -175,3 +177,16 @@ def test_check_lazy_initialization_of_users_and_groups_by_id(do_ad_connection):
     )])
 
     assert cache_names == {ad_group['name']}
+
+@pytest.mark.parametrize('UPDATE', 'DELETE')
+def test_update_delete_failures(do_ad_connection, op_type):
+    ad_user, ad_group = get_ad_user_and_group(do_ad_connection)
+
+    for acct, prefix in ((ad_user, 'user'), (ad_group, 'group')):
+        with pytest.raises(CallError) as ce:
+            if op_type == 'UPDATE':
+                call(f'{prefix}.update', acct['id'], {'smb': False})
+            else:
+                call(f'{prefix}.delete', acct['id'])
+
+        assert ce.value.errno == errno.EPERM