How to fix CANT_DISABLE_LAST_ADMIN in Salesforce deployments
Salesforce blocks deactivating or freezing the last active user with System Administrator access, to prevent locking the org.
Surfaces during: runtime user-management DML, not a metadata deployWhat it means
CANT_DISABLE_LAST_ADMIN fires when an operation tries to deactivate, freeze, or otherwise remove admin-level access from the last remaining active user who has it. Salesforce enforces this as a safeguard: an org with zero active admins can't be recovered through the UI, so the platform refuses the change outright rather than letting it happen by accident.
It applies to any user carrying the equivalent of System Administrator access, not just the profile literally named that, so a custom profile or permission set combination granting "Modify All Data" plus "Manage Users" can trigger the same protection.
Common causes
The fix
- Confirm another active admin exists before deactivating oneCheck the count of active users with System Administrator or equivalent access before any deprovisioning step runs.
SELECT COUNT(Id) FROM User WHERE IsActive = true AND Profile.PermissionsModifyAllData = true - Activate the replacement admin firstSequence offboarding so the new admin's account and permissions are confirmed working before the old one is disabled.
- Add an admin-count check to pre-deploy or pre-deprovisioning scriptsBuild a safeguard into the automation itself so it can't submit a change that would leave zero active admins.
How Serpent prevents this
Serpent's org access is tied to the task and deployment history, so a deprovisioning script that would leave an org without an active admin fails clearly instead of silently locking a sandbox or scratch org out. See the Salesforce deployment error library.

Prevention
Related errors
CANT_DISABLE_LAST_ADMIN, answered
Start free. No credit card, no install, no commitment.
Set up in under 15 minutes. No DevOps hire needed.
