diff --git a/doc/82-Changelog.md b/doc/82-Changelog.md
index 352cd271..d4cd4aec 100644
--- a/doc/82-Changelog.md
+++ b/doc/82-Changelog.md
@@ -13,6 +13,7 @@ before switching to a new version.
 ### Permissions and Restrictions
 * FEATURE: Showing the executed SQL query now requires the `showsql` permission
 * FEATURE: Grant access to Service Set in a controlled way
+* FIX: do not allow a user to create hosts he wouldn't be allowed to see #1451
 
 ### User Interface
 * FEATURE: Admins have now access to JSON download links in many places
diff --git a/library/Director/Web/Form/DirectorObjectForm.php b/library/Director/Web/Form/DirectorObjectForm.php
index 913da859..d1e40aaf 100644
--- a/library/Director/Web/Form/DirectorObjectForm.php
+++ b/library/Director/Web/Form/DirectorObjectForm.php
@@ -4,14 +4,17 @@ namespace Icinga\Module\Director\Web\Form;
 
 use Exception;
 use Icinga\Authentication\Auth;
+use Icinga\Exception\AuthenticationException;
 use Icinga\Module\Director\Db;
 use Icinga\Module\Director\Data\Db\DbObject;
 use Icinga\Module\Director\Data\Db\DbObjectWithSettings;
 use Icinga\Module\Director\Exception\NestingError;
 use Icinga\Module\Director\IcingaConfig\StateFilterSet;
 use Icinga\Module\Director\IcingaConfig\TypeFilterSet;
+use Icinga\Module\Director\Objects\IcingaHost;
 use Icinga\Module\Director\Objects\IcingaTemplateChoice;
 use Icinga\Module\Director\Objects\IcingaObject;
+use Icinga\Module\Director\Restriction\HostgroupRestriction;
 use Icinga\Module\Director\Util;
 use Icinga\Module\Director\Web\Form\Validate\NamePattern;
 use Zend_Form_Element as ZfElement;
@@ -630,6 +633,15 @@ abstract class DirectorObjectForm extends DirectorForm
     {
         $object = $this->object();
         if ($object->hasBeenModified()) {
+            if ($object instanceof IcingaHost && $this->hasHostGroupRestriction()) {
+                $restriction = new HostgroupRestriction($this->db, $this->auth);
+                if (! $restriction->allowsHost($object)) {
+                    throw new AuthenticationException($this->translate(
+                        'Unable to store a host with the given properties because of insufficient permissions'
+                    ));
+                }
+            }
+
             if (! $object->hasBeenLoadedFromDb()) {
                 $this->setHttpResponseCode(201);
             }