diff --git a/src/auth/auth.service.ts b/src/auth/auth.service.ts
index 6a23ad5..5052487 100644
--- a/src/auth/auth.service.ts
+++ b/src/auth/auth.service.ts
@@ -226,10 +226,12 @@ export class AuthService {
     if (!target) {
       throw new UnauthorizedException(`user ${email} not found`);
     }
-    // Enforce at-most-one-admin: clear every other row first, then set
+    // Enforce at-most-one-admin: clear every existing admin row first
+    // (TypeORM rejects an empty-where update, so target by isAdmin=true
+    // — the no-op cost when no rows match is one cheap query), then set
     // the target. Two UPDATEs in one txn so a peer never sees two admins.
     await this.userRepo.manager.transaction(async (txn) => {
-      await txn.update(User, {}, { isAdmin: false });
+      await txn.update(User, { isAdmin: true }, { isAdmin: false });
       await txn.update(User, { id: target.id }, { isAdmin: true });
     });
     await this.audit.write({