diff --git a/app/seeders/root_seeder.rb b/app/seeders/root_seeder.rb
index f1a150e4723f..0958652ca40c 100644
--- a/app/seeders/root_seeder.rb
+++ b/app/seeders/root_seeder.rb
@@ -75,6 +75,11 @@ def do_seed!
     seed_development_data if seed_development_data?
     seed_plugins_data
     seed_env_data
+    cleanup_seed_data
+  end
+
+  def cleanup_seed_data
+    admin_user.lock! if Setting.seed_admin_user_locked?
   end
 
   def seed_development_data?
diff --git a/config/constants/settings/definition.rb b/config/constants/settings/definition.rb
index 16fe9e0705f2..8c7c30a1bd65 100644
--- a/config/constants/settings/definition.rb
+++ b/config/constants/settings/definition.rb
@@ -923,6 +923,12 @@ class Definition
         default: "https://releases.openproject.com/v1/check.svg",
         writable: false
       },
+      seed_admin_user_locked: {
+        description: "Lock the created admin user after seeding, so it can not be used for logging in. " \
+                     "If set to true, an admin user has to be created manually or through an SSO provider.",
+        default: false,
+        writable: false
+      },
       seed_admin_user_password: {
         description: 'Password to set for the initially created admin user (Login remains "admin").',
         default: "admin",
diff --git a/docs/installation-and-operations/configuration/README.md b/docs/installation-and-operations/configuration/README.md
index 839ec412458f..8ff6d3f58672 100644
--- a/docs/installation-and-operations/configuration/README.md
+++ b/docs/installation-and-operations/configuration/README.md
@@ -173,6 +173,18 @@ OPENPROJECT_SEED_ADMIN_USER_NAME="OpenProject Admin" # Name to assign to that us
 OPENPROJECT_SEED_ADMIN_USER_MAIL="admin@example.net" # Email attribute to assign to that user. Note that in packaged installations, a wizard step will assign this variable as well.
 ```
 
+Optionally, you can also lock the admin user that gets created right away. This is useful when you have an LDAP or SSO integration set up and you want to prevent the admin user from logging in.
+
+```shell 
+
+> [!WARNING]
+> With the admin user seeding disabled, you need to have an LDAP or SSO integration set up through environment variables.
+> Otherwise, you will not be able to retain access to the system.
+
+```shell
+OPENPROJECT_SEED_ADMIN_USER_LOCKED="true"
+```
+
 ### Seeding LDAP connections
 
 OpenProject allows you to create and maintain an LDAP connection with optional synchronized group filters. This is relevant for e.g., automated deployments, where you want to trigger the synchronization right at the start.
diff --git a/modules/bim/spec/seeders/root_seeder_bim_edition_spec.rb b/modules/bim/spec/seeders/root_seeder_bim_edition_spec.rb
index 1e4870b4a904..892c1ce4ebce 100644
--- a/modules/bim/spec/seeders/root_seeder_bim_edition_spec.rb
+++ b/modules/bim/spec/seeders/root_seeder_bim_edition_spec.rb
@@ -249,4 +249,27 @@ def group_name(reference)
 
     include_examples "no email deliveries"
   end
+
+  context "when admin user creation is locked with OPENPROJECT_SEED_ADMIN_USER_LOCKED=true",
+          :settings_reset do
+    shared_let(:root_seeder) { described_class.new }
+
+    before_all do
+      with_env("OPENPROJECT_SEED_ADMIN_USER_LOCKED" => "true") do
+        with_edition("bim") do
+          reset(:seed_admin_user_locked)
+          root_seeder.seed_data!
+        end
+      end
+    ensure
+      reset(:seed_admin_user_locked)
+      RequestStore.clear! # resets `User.current` cached result
+    end
+
+    it "seeds without any errors, but locks the admin user", :aggregate_failures do
+      expect(Project.count).to eq 4
+      expect(WorkPackage.count).to eq 76
+      expect(root_seeder.admin_user).to be_locked
+    end
+  end
 end
diff --git a/spec/seeders/admin_user_seeder_spec.rb b/spec/seeders/admin_user_seeder_spec.rb
index 0dcb79608102..db1f4d1de5ef 100644
--- a/spec/seeders/admin_user_seeder_spec.rb
+++ b/spec/seeders/admin_user_seeder_spec.rb
@@ -56,6 +56,7 @@
       seeder.seed!
 
       admin = User.admin.last
+      expect(admin).to be_active
       expect(admin.firstname).to eq "foo"
       expect(admin.lastname).to eq "bar"
       expect(admin.mail).to eq "foobar@example.com"
diff --git a/spec/seeders/root_seeder_standard_edition_spec.rb b/spec/seeders/root_seeder_standard_edition_spec.rb
index af0561b82d96..9f416a03afe6 100644
--- a/spec/seeders/root_seeder_standard_edition_spec.rb
+++ b/spec/seeders/root_seeder_standard_edition_spec.rb
@@ -286,4 +286,27 @@
 
     include_examples "no email deliveries"
   end
+
+  context "when admin user creation is locked with OPENPROJECT_SEED_ADMIN_USER_LOCKED=true",
+          :settings_reset do
+    shared_let(:root_seeder) { described_class.new }
+
+    before_all do
+      with_env("OPENPROJECT_SEED_ADMIN_USER_LOCKED" => "true") do
+        with_edition("standard") do
+          reset(:seed_admin_user_locked)
+          root_seeder.seed_data!
+        end
+      end
+    ensure
+      reset(:seed_admin_user_locked)
+      RequestStore.clear! # resets `User.current` cached result
+    end
+
+    it "seeds without any errors, but locks the admin user", :aggregate_failures do
+      expect(Project.count).to eq 2
+      expect(WorkPackage.count).to eq 36
+      expect(root_seeder.admin_user).to be_locked
+    end
+  end
 end