diff --git a/management/server/status/error.go b/management/server/status/error.go
index ce145a29a..045469306 100644
--- a/management/server/status/error.go
+++ b/management/server/status/error.go
@@ -93,7 +93,7 @@ func NewPeerNotPartOfAccountError() error {
 
 // NewUserNotFoundError creates a new Error with NotFound type for a missing user
 func NewUserNotFoundError(userKey string) error {
-	return Errorf(NotFound, "user not found: %s", userKey)
+	return Errorf(NotFound, "user: %s not found", userKey)
 }
 
 // NewPeerNotRegisteredError creates a new Error with NotFound type for a missing peer
diff --git a/management/server/user.go b/management/server/user.go
index 8bbf18e63..1639ec50f 100644
--- a/management/server/user.go
+++ b/management/server/user.go
@@ -539,15 +539,15 @@ func (am *DefaultAccountManager) CreatePAT(ctx context.Context, accountID string
 		return nil, status.NewUserNotPartOfAccountError()
 	}
 
-	if initiatorUserID != targetUserID && initiatorUser.IsRegularUser() {
-		return nil, status.NewAdminPermissionError()
-	}
-
-	targetUser, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, initiatorUserID)
+	targetUser, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, targetUserID)
 	if err != nil {
 		return nil, err
 	}
 
+	if initiatorUserID != targetUserID && !(initiatorUser.HasAdminPower() && targetUser.IsServiceUser) {
+		return nil, status.NewAdminPermissionError()
+	}
+
 	pat, err := CreateNewPAT(tokenName, expiresIn, targetUserID, initiatorUser.Id)
 	if err != nil {
 		return nil, status.Errorf(status.Internal, "failed to create PAT: %v", err)