diff --git a/weed/admin/dash/admin_server.go b/weed/admin/dash/admin_server.go
index a2f73f02d..666dcb1b0 100644
--- a/weed/admin/dash/admin_server.go
+++ b/weed/admin/dash/admin_server.go
@@ -882,11 +882,6 @@ func (s *AdminServer) GetObjectStoreUsers(ctx context.Context) ([]ObjectStoreUse
 
 	// Convert IAM identities to ObjectStoreUser format
 	for _, identity := range s3cfg.Identities {
-		// Skip anonymous identity
-		if identity.Name == "anonymous" {
-			continue
-		}
-
 		// Skip service accounts - they should not be parent users
 		if strings.HasPrefix(identity.Name, serviceAccountPrefix) {
 			continue
diff --git a/weed/admin/dash/user_management.go b/weed/admin/dash/user_management.go
index 7832e501f..685bf4937 100644
--- a/weed/admin/dash/user_management.go
+++ b/weed/admin/dash/user_management.go
@@ -153,6 +153,13 @@ func (s *AdminServer) DeleteObjectStoreUser(username string) error {
 		return fmt.Errorf("credential manager not available")
 	}
 
+	// Prevent deletion of the anonymous identity — it is a system identity
+	// used for unauthenticated S3 access. Removing it would break anonymous
+	// request handling in the IAM layer.
+	if username == "anonymous" {
+		return fmt.Errorf("cannot delete the system identity 'anonymous'")
+	}
+
 	ctx := context.Background()
 
 	// Delete user using credential manager