diff --git a/action.php b/action.php
index f4f4851..af6ea0f 100644
--- a/action.php
+++ b/action.php
@@ -3,11 +3,15 @@
 /**
  * Make things happen when buttons are pressed and forms submitted.
  */
-
 require_once __DIR__ . "/required.php";
+require_once __DIR__ . "/lib/login.php";
 
 dieifnotloggedin();
 
+if (account_has_permission($_SESSION['username'], "ADMIN") == FALSE) {
+    die("You don't have permission to be here.");
+}
+
 /**
  * Redirects back to the page ID in $_POST/$_GET['source'] with the given message ID.
  * The message will be displayed by the app.
@@ -25,8 +29,49 @@ function returnToSender($msg, $arg = "") {
 }
 
 switch ($VARS['action']) {
+    case "edituser":
+        if (is_empty($VARS['id'])) {
+            $insert = true;
+        } else {
+            if ($database->has('accounts', ['uid' => $VARS['id']])) {
+                $insert = false;
+            } else {
+                returnToSender("invalid_userid");
+            }
+        }
+        if (is_empty($VARS['name']) || is_empty($VARS['username']) || is_empty($VARS['status'])) {
+            returnToSender('invalid_parameters');
+        }
+        
+        if (!$database->has('acctstatus', ['statusid' => $VARS['status']])) {
+            returnToSender("invalid_parameters");
+        }
+        
+        $data = [
+            'realname' => $VARS['name'],
+            'username' => $VARS['username'],
+            'email' => $VARS['email'],
+            'acctstatus' => $VARS['status']
+        ];
+        
+        if (!is_empty($VARS['pass'])) {
+            $data['password'] = password_hash($VARS['pass'], PASSWORD_BCRYPT);
+        }
+
+        if ($insert) {
+            $data['phone1'] = "";
+            $data['phone2'] = "";
+            $data['accttype'] = 1;
+            $database->insert('accounts', $data);
+        } else {
+            $database->update('accounts', $data, ['uid' => $VARS['id']]);
+        }
+
+        returnToSender("user_saved");
     case "signout":
         session_destroy();
         header('Location: index.php');
         die("Logged out.");
+    default:
+        die("Invalid action");
 }
\ No newline at end of file
diff --git a/api.php b/api.php
index 963268c..cec8d4e 100644
--- a/api.php
+++ b/api.php
@@ -14,7 +14,7 @@ header("Content-Type: application/json");
 
 $username = $VARS['username'];
 $password = $VARS['password'];
-if (user_exists($username) !== true || authenticate_user($username, $password, $errmsg) !== true) {
+if (user_exists($username) !== true || authenticate_user($username, $password, $errmsg) !== true || account_has_permission($username, "ADMIN") !== true) {
     header("HTTP/1.1 403 Unauthorized");
     die("\"403 Unauthorized\"");
 }
diff --git a/app.php b/app.php
index c4c009b..afc7164 100644
--- a/app.php
+++ b/app.php
@@ -1,10 +1,7 @@
 <?php
 require_once __DIR__ . "/required.php";
 
-if ($_SESSION['loggedin'] != true) {
-    header('Location: index.php');
-    die("Session expired.  Log in again to continue.");
-}
+redirectIfNotLoggedIn();
 
 require_once __DIR__ . "/pages.php";
 
diff --git a/index.php b/index.php
index 032d374..fd9cb61 100644
--- a/index.php
+++ b/index.php
@@ -4,7 +4,7 @@ require_once __DIR__ . "/required.php";
 require_once __DIR__ . "/lib/login.php";
 
 // if we're logged in, we don't need to be here.
-if ($_SESSION['loggedin']) {
+if ($_SESSION['loggedin'] && account_has_permission($_SESSION['username'], "ADMIN")) {
     header('Location: app.php');
 }
 
@@ -34,13 +34,17 @@ if (checkLoginServer()) {
                         break;
                 }
                 if ($userpass_ok) {
-                    $_SESSION['passok'] = true; // stop logins using only username and authcode
-                    if (userHasTOTP($VARS['username'])) {
-                        $multiauth = true;
+                    if (account_has_permission($VARS['username'], "ADMIN") == FALSE) {
+                        $alert = lang("no admin permission", false);
                     } else {
-                        doLoginUser($VARS['username'], $VARS['password']);
-                        header('Location: app.php');
-                        die("Logged in, go to app.php");
+                        $_SESSION['passok'] = true; // stop logins using only username and authcode
+                        if (userHasTOTP($VARS['username'])) {
+                            $multiauth = true;
+                        } else {
+                            doLoginUser($VARS['username'], $VARS['password']);
+                            header('Location: app.php');
+                            die("Logged in, go to app.php");
+                        }
                     }
                 }
             } else {
diff --git a/lang/en_us.php b/lang/en_us.php
index 37c7e8f..bd43efd 100644
--- a/lang/en_us.php
+++ b/lang/en_us.php
@@ -9,6 +9,7 @@ define("STRINGS", [
     "2fa prompt" => "Enter the six-digit code from your mobile authenticator app.",
     "2fa incorrect" => "Authentication code incorrect.",
     "login incorrect" => "Login incorrect.",
+    "no admin permission" => "You do not have permission to access this system.",
     "login server unavailable" => "Login server unavailable.  Try again later or contact technical support.",
     "account locked" => "This account has been disabled. Contact technical support.",
     "password expired" => "You must change your password before continuing.",
@@ -35,5 +36,15 @@ define("STRINGS", [
     "total users" => "Total Users",
     "view users" => "View Users",
     "normal accounts" => "Normal Accounts",
-    "locked accounts" => "Locked Accounts"
+    "locked accounts" => "Locked Accounts",
+    "editing user" => "Editing {user}",
+    "invalid userid" => "Invalid user ID.",
+    "user saved" => "User saved.",
+    "adding user" => "Adding new user",
+    "placeholder name" => "John Doe",
+    "placeholder username" => "jdoe",
+    "placeholder email address" => "jdoe@example.com",
+    "placeholder password" => "swordfish",
+    "new password" => "New Password",
+    "non-local account warning" => "This account is not locally managed.  Changes made here will not synchronize to the directory server and some attributes cannot be edited."
 ]);
\ No newline at end of file
diff --git a/lang/messages.php b/lang/messages.php
index 8ac0b7a..5602842 100644
--- a/lang/messages.php
+++ b/lang/messages.php
@@ -12,5 +12,13 @@ define("MESSAGES", [
     "404_error" => [
         "string" => "page not found",
         "type" => "info"
+    ],
+    "invalid_userid" => [
+        "string" => "invalid userid",
+        "type" => "danger"
+    ],
+    "user_saved" => [
+        "string" => "user saved",
+        "type" => "success"
     ]
 ]);
diff --git a/lib/login.php b/lib/login.php
index 88c5313..aeeead2 100644
--- a/lib/login.php
+++ b/lib/login.php
@@ -157,6 +157,37 @@ function get_account_status($username) {
     }
 }
 
+/**
+ * Check if the given username has the given permission (or admin access)
+ * @param string $username
+ * @param string $permcode
+ * @return boolean TRUE if the user has the permission (or admin access), else FALSE
+ */
+function account_has_permission($username, $permcode) {
+    $client = new GuzzleHttp\Client();
+
+    $response = $client
+            ->request('POST', PORTAL_API, [
+        'form_params' => [
+            'key' => PORTAL_KEY,
+            'action' => "permission",
+            'username' => $username,
+            'code' => $permcode
+        ]
+    ]);
+
+    if ($response->getStatusCode() > 299) {
+        sendError("Login server error: " . $response->getBody());
+    }
+
+    $resp = json_decode($response->getBody(), TRUE);
+    if ($resp['status'] == "OK") {
+        return $resp['has_permission'];
+    } else {
+        return false;
+    }
+}
+
 ////////////////////////////////////////////////////////////////////////////////
 //                              Login handling                                //
 ////////////////////////////////////////////////////////////////////////////////
diff --git a/pages.php b/pages.php
index 350c4df..cc0aaba 100644
--- a/pages.php
+++ b/pages.php
@@ -20,6 +20,13 @@ define("PAGES", [
             "static/js/users.js"
         ],
     ],
+    "edituser" => [
+        "title" => "edit user",
+        "navbar" => false,
+        "scripts" => [
+            "static/js/edituser.js"
+        ]
+    ],
     "404" => [
         "title" => "404 error"
     ]
diff --git a/pages/edituser.php b/pages/edituser.php
new file mode 100644
index 0000000..4c9d143
--- /dev/null
+++ b/pages/edituser.php
@@ -0,0 +1,136 @@
+<?php
+require_once __DIR__ . '/../required.php';
+require_once __DIR__ . "/../lib/login.php";
+require_once __DIR__ . "/../lib/userinfo.php";
+
+redirectifnotloggedin();
+
+$userdata = [
+    'uid' => '',
+    'username' => '',
+    'realname' => '',
+    'email' => '',
+    'acctstatus' => '',
+    'typecode' => 'LOCAL'
+];
+
+$editing = false;
+
+if (!is_empty($VARS['id'])) {
+    if ($database->has('accounts', ['uid' => $VARS['id']])) {
+        $editing = true;
+        $userdata = $database->select('accounts', ['[>]accttypes' => ['accttype' => 'typeid']], [
+                    'uid',
+                    'username',
+                    'realname',
+                    'email',
+                    'acctstatus',
+                    'typecode'
+                        ], [
+                    'uid' => $VARS['id']
+                ])[0];
+    } else {
+        // user id is invalid, redirect to a page that won't cause an error when pressing Save
+        header('Location: app.php?page=edituser');
+    }
+}
+
+if ($userdata['typecode'] != "LOCAL") {
+    $localacct = false;
+} else {
+    $localacct = true;
+}
+?>
+
+<form role="form" action="action.php" method="POST">
+    <div class="panel panel-blue">
+        <div class="panel-heading">
+            <h3 class="panel-title">
+                <?php
+                if ($editing) {
+                    ?>
+                    <i class="fa fa-pencil-square-o"></i> <?php lang2("editing user", ['user' => "<span id=\"name_title\">" . htmlspecialchars($userdata['realname']) . "</span>"]); ?>
+                    <?php
+                } else {
+                    ?>
+                    <i class="fa fa-pencil-square-o"></i> <?php lang("adding user"); ?>
+                    <?php
+                }
+                ?>
+            </h3>
+        </div>
+        <div class="panel-body">
+            <?php
+            if (!$localacct) {
+                ?>
+                <div class="alert alert-warning">
+                    <?php lang("non-local account warning"); ?>
+                </div>
+                <?php
+            }
+            ?>
+            <div class="form-group">
+                <label for="name"><i class="fa fa-user"></i> <?php lang("name"); ?></label>
+                <input type="text" class="form-control" id="name" name="name" placeholder="<?php lang("placeholder name"); ?>" required="required" value="<?php echo htmlspecialchars($userdata['realname']); ?>" />
+            </div>
+
+            <div class="row">
+                <div class="col-xs-12 col-md-6">
+                    <div class="form-group">
+                        <label for="username"><i class="fa fa-id-badge"></i> <?php lang("username"); ?></label>
+                        <input type="text" <?php if (!$localacct) echo "disabled"; ?> class="form-control" name="username" id="username" placeholder="<?php lang("placeholder username"); ?>" required="required" value="<?php echo htmlspecialchars($userdata['username']); ?>" />
+                    </div>
+                </div>
+                <div class="col-xs-12 col-md-6">
+                    <div class="form-group">
+                        <label for="email"><i class="fa fa-envelope"></i> <?php lang("email"); ?></label>
+                        <input type="email" class="form-control" name="email" id="email" placeholder="<?php lang("placeholder email address"); ?>" value="<?php echo htmlspecialchars($userdata['email']); ?>" />
+                    </div>
+                </div>
+            </div>
+
+            <div class="row">
+                <div class="col-xs-12 col-md-6">
+                    <div class="form-group">
+                        <label for="pass"><i class="fa fa-lock"></i> <?php lang("new password"); ?></label>
+                        <input type="text" <?php if (!$localacct) echo "disabled"; ?> autocomplete="new-password" class="form-control" name="pass" id="pass" placeholder="<?php lang("placeholder password"); ?>" />
+                    </div>
+                </div>
+
+                <div class="col-xs-12 col-md-6">
+                    <div class="form-group">
+                        <label for="status"><i class="fa fa-check-circle"></i> <?php lang("status"); ?></label>
+                        <select class="form-control" name="status" id="status" required="required">
+                            <?php
+                            $statuses = $database->select('acctstatus', ['statusid (id)', 'statuscode (code)'], ["ORDER" => "statusid"]);
+                            foreach ($statuses as $s) {
+                                echo "<option";
+                                if ($s['id'] == $userdata['acctstatus']) {
+                                    echo " selected";
+                                }
+                                echo " value=\"" . $s['id'] . "\">" . $s['code'] . "</option>";
+                            }
+                            ?>
+                        </select>
+                    </div>
+                </div>
+            </div>
+
+        </div>
+
+        <input type="hidden" name="id" value="<?php echo htmlspecialchars($VARS['id']); ?>" />
+        <input type="hidden" name="action" value="edituser" />
+        <input type="hidden" name="source" value="users" />
+
+        <div class="panel-footer">
+            <button type="submit" class="btn btn-success"><i class="fa fa-floppy-o"></i> <?php lang("save"); ?></button>
+            <?php
+            if ($editing) {
+                ?>
+                <a href="action.php?action=deleteuser&source=users&userid=<?php echo htmlspecialchars($VARS['id']); ?>" style="margin-top: 8px;" class="btn btn-danger btn-xs pull-right"><i class="fa fa-times"></i> <?php lang('delete'); ?></a>
+                <?php
+            }
+            ?>
+        </div>
+    </div>
+</form>
\ No newline at end of file
diff --git a/pages/home.php b/pages/home.php
index 864df43..8428667 100644
--- a/pages/home.php
+++ b/pages/home.php
@@ -30,7 +30,7 @@ redirectifnotloggedin();
         <div class="panel panel-amber">
             <div class="panel-heading"><div class="panel-title"><?php lang("locked accounts") ?></div></div>
             <div class="panel-body">
-                <h1><i class="fa fa-fw fa-user-times"></i> <?php echo $database->count('accounts', ['OR' => ['acctstatus' => 2, 'acctstatus' => 3]]); ?></h1>
+                <h1><i class="fa fa-fw fa-user-times"></i> <?php echo $database->count('accounts', ['OR' => ['acctstatus #LOCKED_OR_DISABLED' => 2, 'acctstatus #CHANGE_PASSWORD' => 3]]); ?></h1>
             </div>
             <div class="panel-footer">
                 <a style="color: black;" href="app.php?page=users"><i class="fa fa-arrow-right fa-fw"></i> <?php lang('view users'); ?></a>
diff --git a/pages/users.php b/pages/users.php
index 45e947f..2756dbf 100644
--- a/pages/users.php
+++ b/pages/users.php
@@ -11,11 +11,11 @@ redirectifnotloggedin();
         <tr>
             <th data-priority="0"></th>
             <th data-priority="1"><?php lang('actions'); ?></th>
-            <th data-priority="1"><?php lang('name'); ?></th>
-            <th data-priority="2"><?php lang('username'); ?></th>
-            <th data-priority="3"><?php lang('email'); ?></th>
-            <th data-priority="3"><?php lang('status'); ?></th>
-            <th data-priority="4"><?php lang('type'); ?></th>
+            <th data-priority="1"><i class="fa fa-fw fa-user"></i> <?php lang('name'); ?></th>
+            <th data-priority="2"><i class="fa fa-fw fa-id-badge"></i> <?php lang('username'); ?></th>
+            <th data-priority="3"><i class="fa fa-fw fa-envelope"></i> <?php lang('email'); ?></th>
+            <th data-priority="3"><i class="fa fa-fw fa-check-circle"></i> <?php lang('status'); ?></th>
+            <th data-priority="4"><i class="fa fa-fw fa-server"></i> <?php lang('type'); ?></th>
         </tr>
     </thead>
     <tbody>
@@ -54,11 +54,10 @@ redirectifnotloggedin();
         <tr>
             <th data-priority="0"></th>
             <th data-priority="1"><?php lang('actions'); ?></th>
-            <th data-priority="1"><?php lang('name'); ?></th>
-            <th data-priority="2"><?php lang('username'); ?></th>
-            <th data-priority="3"><?php lang('email'); ?></th>
-            <th data-priority="3"><?php lang('status'); ?></th>
-            <th data-priority="4"><?php lang('type'); ?></th>
-        </tr>
+            <th data-priority="1"><i class="fa fa-fw fa-user"></i> <?php lang('name'); ?></th>
+            <th data-priority="2"><i class="fa fa-fw fa-id-badge"></i> <?php lang('username'); ?></th>
+            <th data-priority="3"><i class="fa fa-fw fa-envelope"></i> <?php lang('email'); ?></th>
+            <th data-priority="3"><i class="fa fa-fw fa-check-circle"></i> <?php lang('status'); ?></th>
+            <th data-priority="4"><i class="fa fa-fw fa-server"></i> <?php lang('type'); ?></th>
     </tfoot>
 </table>
\ No newline at end of file
diff --git a/required.php b/required.php
index 0ea9e72..bfaf63b 100644
--- a/required.php
+++ b/required.php
@@ -185,7 +185,12 @@ if (!function_exists('base_url')) {
 
 function redirectIfNotLoggedIn() {
     if ($_SESSION['loggedin'] !== TRUE) {
-        header('Location: ' . URL . '/index.php');
+        header('Location: ./index.php');
         die();
     }
+    require_once __DIR__ . "/lib/login.php";
+    if (account_has_permission($_SESSION['username'], "ADMIN") == FALSE) {
+        header('Location: ./index.php');
+        die("You don't have permission to be here.");
+    }
 }
diff --git a/static/js/edituser.js b/static/js/edituser.js
new file mode 100644
index 0000000..7a18cab
--- /dev/null
+++ b/static/js/edituser.js
@@ -0,0 +1,3 @@
+$('#name').on('input propertychange paste', function() {
+    $('#name_title').text($('#name').val());
+});
\ No newline at end of file