diff --git a/admin/inc/class.admin_acl.inc.php b/admin/inc/class.admin_acl.inc.php
index f95ffebf68..5eb27d0253 100644
--- a/admin/inc/class.admin_acl.inc.php
+++ b/admin/inc/class.admin_acl.inc.php
@@ -409,10 +409,12 @@ class admin_acl
 				'caption' => 'Edit',
 				'default' => true,
 				'allowOnMultiple' => false,
+				'disableClass' => 'rowNoEdit',
 				'onExecute' => 'javaScript:app.admin.acl',
 			),
 			'add' => array(
 				'caption' => 'Add',
+				'disableClass' => 'rowNoEdit',
 				'onExecute' => 'javaScript:app.admin.acl',
 			),
 			'delete' => array(
diff --git a/admin/js/app.js b/admin/js/app.js
index a06aedd5ed..9c0ac0ed36 100644
--- a/admin/js/app.js
+++ b/admin/js/app.js
@@ -468,6 +468,11 @@ app.classes.admin = AppJS.extend(
 			{
 				content.acl_location = this.et2.getWidgetById('filter').getValue() == 'run' ? 'run' : null;
 			}
+			// If no admin rights, change UI to not allow adding access to apps
+			if(content.acl_location == 'run' && !egw.user('apps')['admin'])
+			{
+				content.acl_location = null;
+			}
 			if(content.acl_location == 'run')
 			{
 				// These are the apps the account has access to
diff --git a/admin/templates/default/acl.xet b/admin/templates/default/acl.xet
index be8679fc11..9ad21516e9 100644
--- a/admin/templates/default/acl.xet
+++ b/admin/templates/default/acl.xet
@@ -35,7 +35,7 @@
 					<nextmatch-header label="Custom 2" id="custom2"/>
 					<nextmatch-header label="Custom 3" id="custom3"/>
 				</row>
-				<row>
+				<row class="$row_cont[class]">
 					<appicon align="center" src="$row_cont[acl_appname]" class="admin_aclApp"/>
 					<menulist>
 						<menupopup type="select-app" id="${row}[acl_appname]" readonly="true"/>