diff --git a/modules/users/server/controllers/admin.server.controller.js b/modules/users/server/controllers/admin.server.controller.js
index c2998f9e9a..14063fb74f 100644
--- a/modules/users/server/controllers/admin.server.controller.js
+++ b/modules/users/server/controllers/admin.server.controller.js
@@ -74,6 +74,12 @@ exports.list = function (req, res) {
  * User middleware
  */
 exports.userByID = function (req, res, next, id) {
+	if (!mongoose.Types.ObjectId.isValid(id)) {
+		return res.status(400).send({
+			message: 'User is invalid'
+		});
+	}
+
 	User.findById(id, '-salt -password').exec(function (err, user) {
 		if (err) return next(err);
 		if (!user) return next(new Error('Failed to load user ' + id));
diff --git a/modules/users/server/controllers/users/users.authorization.server.controller.js b/modules/users/server/controllers/users/users.authorization.server.controller.js
index 9ad24fc3ef..ea35abf346 100644
--- a/modules/users/server/controllers/users/users.authorization.server.controller.js
+++ b/modules/users/server/controllers/users/users.authorization.server.controller.js
@@ -10,10 +10,16 @@ var _ = require('lodash'),
 /**
  * User middleware
  */
-exports.userByID = function(req, res, next, id) {
+exports.userByID = function (req, res, next, id) {
+	if (!mongoose.Types.ObjectId.isValid(id)) {
+		return res.status(400).send({
+			message: 'User is invalid'
+		});
+	}
+
 	User.findOne({
 		_id: id
-	}).exec(function(err, user) {
+	}).exec(function (err, user) {
 		if (err) return next(err);
 		if (!user) return next(new Error('Failed to load User ' + id));
 		req.profile = user;
diff --git a/modules/users/server/policies/admin.server.policies.js b/modules/users/server/policies/admin.server.policy.js
similarity index 96%
rename from modules/users/server/policies/admin.server.policies.js
rename to modules/users/server/policies/admin.server.policy.js
index b0860ec82b..d7b7a43fdb 100644
--- a/modules/users/server/policies/admin.server.policies.js
+++ b/modules/users/server/policies/admin.server.policy.js
@@ -9,7 +9,7 @@ var acl = require('acl');
 acl = new acl(new acl.memoryBackend());
 
 /**
- * Invoke Articles Permissions
+ * Invoke Admin Permissions
  */
 exports.invokeRolesPolicies = function () {
 	acl.allow([{
diff --git a/modules/users/server/routes/admin.server.routes.js b/modules/users/server/routes/admin.server.routes.js
index d2fd4f4630..c98acb2ce6 100644
--- a/modules/users/server/routes/admin.server.routes.js
+++ b/modules/users/server/routes/admin.server.routes.js
@@ -3,19 +3,22 @@
 /**
  * Module dependencies.
  */
-var adminPolicy = require('../policies/admin.server.policies'),
+var adminPolicy = require('../policies/admin.server.policy'),
 	admin = require('../controllers/admin.server.controller');
 
 module.exports = function (app) {
+	// User route registration first. Ref: #713
+	require('./users.server.routes.js')(app);
+
 	// Users collection routes
-	app.route('/api/users').all(adminPolicy.isAllowed)
-		.get(admin.list);
+	app.route('/api/users')
+		.get(adminPolicy.isAllowed, admin.list);
 
 	// Single user routes
-	app.route('/api/users/:userId').all(adminPolicy.isAllowed)
-		.get(admin.read)
-		.put(admin.update)
-		.delete(admin.delete);
+	app.route('/api/users/:userId')
+		.get(adminPolicy.isAllowed, admin.read)
+		.put(adminPolicy.isAllowed, admin.update)
+		.delete(adminPolicy.isAllowed, admin.delete);
 
 	// Finish by binding the user middleware
 	app.param('userId', admin.userByID);
diff --git a/modules/users/server/routes/users.server.routes.js b/modules/users/server/routes/users.server.routes.js
index d74a428190..0feb276478 100644
--- a/modules/users/server/routes/users.server.routes.js
+++ b/modules/users/server/routes/users.server.routes.js
@@ -1,6 +1,6 @@
 'use strict';
 
-module.exports = function(app) {
+module.exports = function (app) {
 	// User Routes
 	var users = require('../controllers/users.server.controller');