diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index b092d6cf7e..f1e269a634 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -594,6 +594,10 @@ class UserSerializer(BaseSerializer):
 
     def restore_object(self, attrs, instance=None):
         new_password = attrs.pop('password', None)
+        # first time creating, password required
+        if instance is None and new_password in (None, ''):
+            self._errors = {'password': ['Password required for new User']}
+            return
         instance = super(UserSerializer, self).restore_object(attrs, instance)
         instance._new_password = new_password
         return instance
@@ -655,6 +659,9 @@ class UserSerializer(BaseSerializer):
     def validate_is_superuser(self, attrs, source):
         return self._validate_ldap_managed_field(attrs, source)
 
+    def validate_password(self, attrs, source):
+        return attrs
+
 
 class OrganizationSerializer(BaseSerializer):
 
diff --git a/awx/main/tests/users.py b/awx/main/tests/users.py
index d4cd3618e6..e2bfe4f308 100644
--- a/awx/main/tests/users.py
+++ b/awx/main/tests/users.py
@@ -119,11 +119,16 @@ class UsersTest(BaseTest):
         self.organizations[0].users.add(self.other_django_user)
         self.organizations[0].users.add(self.normal_django_user)
         self.organizations[1].users.add(self.other_django_user)
+
+    def test_user_creation_fails_without_password(self):
+        url = reverse('api:user_list')
+        new_user = dict(username='blippy')
+        response = self.post(url, expect=400, data=new_user, auth=self.get_super_credentials())
  
     def test_only_super_user_or_org_admin_can_add_users(self):
         url = reverse('api:user_list')
-        new_user = dict(username='blippy')
-        new_user2 = dict(username='blippy2')
+        new_user = dict(username='blippy', password='hippy')
+        new_user2 = dict(username='blippy2', password='hippy2')
         self.post(url, expect=401, data=new_user, auth=None)
         self.post(url, expect=401, data=new_user, auth=self.get_invalid_credentials())
         self.post(url, expect=403, data=new_user, auth=self.get_other_credentials())
@@ -138,7 +143,7 @@ class UsersTest(BaseTest):
 
     def test_only_super_user_can_use_superuser_flag(self):
         url = reverse('api:user_list')
-        new_super_user = dict(username='nommy', is_superuser=True)
+        new_super_user = dict(username='nommy', password='cookie', is_superuser=True)
         self.post(url, expect=401, data=new_super_user, auth=self.get_invalid_credentials())
         self.post(url, expect=403, data=new_super_user, auth=self.get_other_credentials())
         self.post(url, expect=403, data=new_super_user, auth=self.get_normal_credentials())