diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl
index b0df3e14d..297ad4914 100755
--- a/web-lib-funcs.pl
+++ b/web-lib-funcs.pl
@@ -12129,8 +12129,8 @@ return 0 if ($access{'rpc'} == 0);	# Cannot make RPCs
 
 # Assume that standard admin usernames
 # are root-capable as a fallback
-return $u eq 'admin' ||
-       $u eq 'root' ||
+return $u eq 'root' ||
+       $u eq 'admin' ||
        $u eq 'sysadm';
 }
 
@@ -12156,10 +12156,12 @@ my %uaccess = &get_module_acl($remote_user, "");
 my %access = &get_module_acl($base_remote_user, "");
 
 # Check if mode must be restricted
-if ($uaccess{'_safe'} == 1 || $access{'_safe'} == 1 ||
-    $uaccess{'rpc'} == 0 || $access{'rpc'} == 0) {
-		# Safe Webmin user
-        $mode = 'safe-user';
+if ($base_remote_user !~ /^(root|admin|sysadm)$/) {
+	if ($uaccess{'_safe'} == 1 || $access{'_safe'} == 1 ||
+	    $uaccess{'rpc'} == 0 || $access{'rpc'} == 0) {
+			# Safe Webmin user
+	        $mode = 'safe-user';
+	    }
     }
 if (&get_product_name() eq "usermin") {
 	# Usermin user
@@ -12196,22 +12198,22 @@ sub webmin_user_is
 {
 my ($user_type) = @_;
 
-# Is user root/admin
+# Is user an administrator
 return &webmin_user_login_mode() eq 'root'
 	if ($user_type =~ /^(root|admin|sysadm)$/);
-
+# Is user a safe Webmin user
 return &webmin_user_login_mode() eq 'safe-user'
 	if ($user_type =~ /^(safe|user|safe-user)$/);
-
+# Is user mail user/Usermin user
 return &webmin_user_login_mode() eq 'mail-user'
 	if ($user_type =~ /^(mail|mail-user|usermin)$/);
-
+# Is user a Cloudmin owner
 return &webmin_user_login_mode() eq 'cloud-owner'
 	if ($user_type =~ /^(cloud(?:(min|))-owner)$/);
-
+# Is user a Virtualmin reseller
 return &webmin_user_login_mode() eq 'virtual-reseller'
 	if ($user_type =~ /^(virtual(?:(min|))-reseller)$/);
-
+# Is user a Virtualmin owner
 return &webmin_user_login_mode() eq 'virtual-owner'
 	if ($user_type =~ /^(virtual(?:(min|))-owner)$/);
 }