diff --git a/docker/Dockerfile.complement b/docker/Dockerfile.complement
index 4ef24d99..4c72f7d2 100644
--- a/docker/Dockerfile.complement
+++ b/docker/Dockerfile.complement
@@ -75,6 +75,7 @@ COPY <<EOF complement.toml
     allow_public_room_directory_over_federation = true
     allow_public_room_directory_without_auth = true
     allow_registration = true
+    create_admin_room = false
     database_path = "/database"
     dns_attempts = 20
     dns_timeout = 60
diff --git a/src/api/client/register.rs b/src/api/client/register.rs
index 051fbce8..cfda5a6f 100644
--- a/src/api/client/register.rs
+++ b/src/api/client/register.rs
@@ -513,19 +513,18 @@ pub(crate) async fn register_route(
 	// If this is the first real user, grant them admin privileges except for guest
 	// users
 	// Note: the server user is generated first
-	if !is_guest {
-		if let Ok(admin_room) = services.admin.get_admin_room().await {
-			if services
-				.rooms
-				.state_cache
-				.room_joined_count(&admin_room)
-				.await
-				.is_ok_and(is_equal_to!(1))
-			{
-				services.admin.make_user_admin(&user_id).await?;
-				warn!("Granting {user_id} admin privileges as the first user");
-			}
-		}
+	if !is_guest
+		&& services.config.grant_admin_to_first_user
+		&& let Ok(admin_room) = services.admin.get_admin_room().await
+		&& services
+			.rooms
+			.state_cache
+			.room_joined_count(&admin_room)
+			.await
+			.is_ok_and(is_equal_to!(1))
+	{
+		services.admin.make_user_admin(&user_id).await?;
+		warn!("Granting {user_id} admin privileges as the first user");
 	}
 
 	if body.appservice_info.is_none()
diff --git a/src/core/config/mod.rs b/src/core/config/mod.rs
index 595025ac..bba01ba5 100644
--- a/src/core/config/mod.rs
+++ b/src/core/config/mod.rs
@@ -1683,6 +1683,23 @@ pub struct Config {
 	#[serde(default = "default_admin_room_tag")]
 	pub admin_room_tag: String,
 
+	/// Whether to grant the first user to register admin privileges by joining
+	/// them to the admin room. Note that technically the next user to register
+	/// when the admin room is empty (or only contains the server-user) is
+	/// granted, and only when the admin room is enabled.
+	///
+	/// default: true
+	#[serde(default = "true_fn")]
+	pub grant_admin_to_first_user: bool,
+
+	/// Whether the admin room is created on first startup. Users should not set
+	/// this to false. Developers can set this to false during integration tests
+	/// to reduce activity and output.
+	///
+	/// default: true
+	#[serde(default = "true_fn")]
+	pub create_admin_room: bool,
+
 	/// Sentry.io crash/panic reporting, performance monitoring/metrics, etc.
 	/// This is NOT enabled by default. tuwunel's default Sentry reporting
 	/// endpoint domain is `o4509498990067712.ingest.us.sentry.io`.
diff --git a/src/service/admin/create.rs b/src/service/admin/create.rs
index 2ce21484..1c7c3f07 100644
--- a/src/service/admin/create.rs
+++ b/src/service/admin/create.rs
@@ -20,6 +20,22 @@ use tuwunel_core::{Result, pdu::PduBuilder};
 
 use crate::Services;
 
+/// Create the server user.
+///
+/// This should be the first user on the server and created prior to the
+/// admin room.
+pub async fn create_server_user(services: &Services) -> Result {
+	let server_user = services.globals.server_user.as_ref();
+
+	// Create a user for the server
+	services
+		.users
+		.create(server_user, None, None)
+		.await?;
+
+	Ok(())
+}
+
 /// Create the admin room.
 ///
 /// Users in this room are considered admins by tuwunel, and the room can be
@@ -38,10 +54,9 @@ pub async fn create_admin_room(services: &Services) -> Result {
 
 	// Create a user for the server
 	let server_user = services.globals.server_user.as_ref();
-	services
-		.users
-		.create(server_user, None, None)
-		.await?;
+	if !services.users.exists(server_user).await {
+		create_server_user(services).await?;
+	}
 
 	let create_content = {
 		use RoomVersionId::*;
diff --git a/src/service/admin/mod.rs b/src/service/admin/mod.rs
index 58031cd6..d2156845 100644
--- a/src/service/admin/mod.rs
+++ b/src/service/admin/mod.rs
@@ -1,5 +1,5 @@
 pub mod console;
-mod create;
+pub mod create;
 mod execute;
 mod grant;
 
diff --git a/src/service/migrations.rs b/src/service/migrations.rs
index 8338f2d7..f69980c6 100644
--- a/src/service/migrations.rs
+++ b/src/service/migrations.rs
@@ -67,9 +67,11 @@ async fn fresh(services: &Services) -> Result {
 	db["global"].insert(b"fix_readreceiptid_readreceipt_duplicates", []);
 
 	// Create the admin room and server user on first run
-	crate::admin::create_admin_room(services)
-		.boxed()
-		.await?;
+	if services.config.create_admin_room {
+		crate::admin::create_admin_room(services)
+			.boxed()
+			.await?;
+	}
 
 	warn!("Created new RocksDB database with version {DATABASE_VERSION}");
 
diff --git a/tuwunel-example.toml b/tuwunel-example.toml
index a5ada457..4661355f 100644
--- a/tuwunel-example.toml
+++ b/tuwunel-example.toml
@@ -1450,6 +1450,19 @@
 #
 #admin_room_tag = "m.server_notice"
 
+# Whether to grant the first user to register admin privileges by joining
+# them to the admin room. Note that technically the next user to register
+# when the admin room is empty (or only contains the server-user) is
+# granted, and only when the admin room is enabled.
+#
+#grant_admin_to_first_user = true
+
+# Whether the admin room is created on first startup. Users should not set
+# this to false. Developers can set this to false during integration tests
+# to reduce activity and output.
+#
+#create_admin_room = true
+
 # Sentry.io crash/panic reporting, performance monitoring/metrics, etc.
 # This is NOT enabled by default. tuwunel's default Sentry reporting
 # endpoint domain is `o4509498990067712.ingest.us.sentry.io`.