diff --git a/lib/api/v3/users/users_api.rb b/lib/api/v3/users/users_api.rb
index 7ddeabdfad5..0e64cc1876d 100644
--- a/lib/api/v3/users/users_api.rb
+++ b/lib/api/v3/users/users_api.rb
@@ -44,6 +44,12 @@ module API
               fail ::API::Errors::InvalidUserStatusTransition
             end
           end
+
+          def ensure_user_limit_not_reached_for_activation!
+            return unless OpenProject::Enterprise.user_limit_reached?
+
+            fail ::API::Errors::UnprocessableContent.new(I18n.t(:error_enterprise_activation_user_limit))
+          end
         end
 
         resources :users do
@@ -109,7 +115,10 @@ module API
               desc "Remove lock on user account"
               delete do
                 user_transition(@user.locked? || @user.active? || @user.deleted?) do
-                  @user.activate! unless @user.active?
+                  if @user.locked?
+                    ensure_user_limit_not_reached_for_activation!
+                    @user.activate!
+                  end
                 end
               end
             end
diff --git a/spec/requests/api/v3/user/userlock_resource_spec.rb b/spec/requests/api/v3/user/userlock_resource_spec.rb
index e6b3836cbc8..0707282840c 100644
--- a/spec/requests/api/v3/user/userlock_resource_spec.rb
+++ b/spec/requests/api/v3/user/userlock_resource_spec.rb
@@ -41,14 +41,14 @@ RSpec.describe "API v3 UserLock resource", content_type: :json do
   let(:representer) { API::V3::Users::UserRepresenter.new(model) }
   let(:lock_path) { api_v3_paths.user_lock user.id }
 
-  subject(:response) { last_response }
-
   describe "#post" do
+    subject(:response) do
+      post lock_path
+      last_response
+    end
+
     before do
       allow(User).to receive(:current).and_return current_user
-      post lock_path
-      # lock manually
-      user.lock
     end
 
     # Locking is only available for admins
@@ -79,6 +79,8 @@ RSpec.describe "API v3 UserLock resource", content_type: :json do
     context "requesting nonexistent user" do
       let(:lock_path) { api_v3_paths.user_lock 9999 }
 
+      before { response }
+
       it_behaves_like "not found"
     end
 
@@ -90,11 +92,13 @@ RSpec.describe "API v3 UserLock resource", content_type: :json do
   end
 
   describe "#delete" do
+    subject(:response) do
+      delete lock_path
+      last_response
+    end
+
     before do
       allow(User).to receive(:current).and_return current_user
-      delete lock_path
-      # unlock manually
-      user.activate
     end
 
     # Unlocking is only available for admins
@@ -120,6 +124,23 @@ RSpec.describe "API v3 UserLock resource", content_type: :json do
           expect(subject.status).to eq(400)
         end
       end
+
+      context "when user limit is reached and the user is locked" do
+        let(:user) { create(:locked_user) }
+
+        before do
+          allow(OpenProject::Enterprise).to receive(:user_limit_reached?).and_return(true)
+        end
+
+        it "responds with 422" do
+          expect(subject.status).to eq(422)
+        end
+
+        it "does not activate the user" do
+          subject
+          expect(user.reload).to be_locked
+        end
+      end
     end
 
     context "non-admin user" do