diff --git a/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupPersistence.java b/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupPersistence.java
index 4b11e3ce4908129b465cefb55f8bc747bf16ff96..8ce149e9336cb9e5833c5968398a85b802330231 100755
--- a/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupPersistence.java
+++ b/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupPersistence.java
@@ -92,6 +92,7 @@ import ca.nrc.cadc.ac.server.GroupPersistence;
 import ca.nrc.cadc.auth.AuthMethod;
 import ca.nrc.cadc.auth.AuthenticationUtil;
 import ca.nrc.cadc.auth.DNPrincipal;
+import ca.nrc.cadc.auth.HttpPrincipal;
 import ca.nrc.cadc.net.TransientException;
 import ca.nrc.cadc.util.ObjectUtil;
 
@@ -125,8 +126,7 @@ public class LdapGroupPersistence extends LdapPersistence implements GroupPersis
     {
         // current policy: group names visible to all authenticated users
         Subject caller = AuthenticationUtil.getCurrentSubject();
-        if (caller == null || AuthMethod.ANON.equals(AuthenticationUtil.getAuthMethod(caller)))
-            throw new AccessControlException("Caller is not authenticated");
+        checkAuthenticatedWithAccount(caller);
 
         LdapGroupDAO groupDAO = null;
         LdapUserDAO userDAO = null;
@@ -175,6 +175,7 @@ public class LdapGroupPersistence extends LdapPersistence implements GroupPersis
                GroupNotFoundException
     {
         Subject caller = AuthenticationUtil.getCurrentSubject();
+        checkAuthenticatedWithAccount(caller);
         Principal userID = getUser(caller);
 
         LdapConnections conns = new LdapConnections(this);
@@ -395,4 +396,13 @@ public class LdapGroupPersistence extends LdapPersistence implements GroupPersis
         GroupMemberships gms = gset.iterator().next();
         return gms.getUserID();
     }
+
+    private void checkAuthenticatedWithAccount(Subject caller)
+    {
+        if (caller == null || AuthMethod.ANON.equals(AuthenticationUtil.getAuthMethod(caller)))
+            throw new AccessControlException("Caller is not authenticated");
+
+        if (caller.getPrincipals(HttpPrincipal.class).isEmpty())
+            throw new AccessControlException("Caller does not have authorized account");
+    }
 }
diff --git a/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java b/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java
index 1dfa5a60f123c17cec7dd2ef9967f67ca0549363..8711e52ee445883a2a49171d89f75b903cfe519b 100755
--- a/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java
+++ b/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java
@@ -290,6 +290,10 @@ public class LdapUserPersistence extends LdapPersistence implements UserPersiste
         if (caller == null || AuthMethod.ANON.equals(AuthenticationUtil.getAuthMethod(caller)))
             throw new AccessControlException("Caller is not authenticated");
 
+        // user must also have an approved account
+        if (caller.getPrincipals(HttpPrincipal.class).isEmpty())
+            throw new AccessControlException("Caller does not have authorized account");
+
         LdapUserDAO userDAO = null;
         LdapConnections conns = new LdapConnections(this);
         try