diff --git a/changelog/unreleased/builtin-regular-users.md b/changelog/unreleased/builtin-regular-users.md
new file mode 100644
index 000000000..0a4b3481b
--- /dev/null
+++ b/changelog/unreleased/builtin-regular-users.md
@@ -0,0 +1,5 @@
+Change: Set user role on builtin users
+
+We now set the default `user` role on our builtin users.
+
+https://github.com/owncloud/ocis-accounts/pull/102
diff --git a/changelog/unreleased/new-admin-user.md b/changelog/unreleased/new-admin-user.md
new file mode 100644
index 000000000..1956038d8
--- /dev/null
+++ b/changelog/unreleased/new-admin-user.md
@@ -0,0 +1,5 @@
+Change: Add new builtin admin user
+
+We added a new builtin user `moss` and assigned the admin role.
+
+https://github.com/owncloud/ocis-accounts/pull/102
diff --git a/go.mod b/go.mod
index 967bd20eb..d2e005035 100644
--- a/go.mod
+++ b/go.mod
@@ -29,7 +29,7 @@ require (
 	github.com/onsi/ginkgo v1.10.1 // indirect
 	github.com/onsi/gomega v1.7.0 // indirect
 	github.com/owncloud/ocis-pkg/v2 v2.4.0
-	github.com/owncloud/ocis-settings v0.3.0
+	github.com/owncloud/ocis-settings v0.3.2-0.20200828130413-0cc0f5bf26fe
 	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
 	github.com/restic/calens v0.2.0
 	github.com/rs/zerolog v1.19.0
diff --git a/go.sum b/go.sum
index 5a7bb60bd..809fb7e6e 100644
--- a/go.sum
+++ b/go.sum
@@ -871,11 +871,14 @@ github.com/owncloud/ocis-pkg/v2 v2.2.2-0.20200812103920-db41b5a3d14d h1:eruHqxLf
 github.com/owncloud/ocis-pkg/v2 v2.2.2-0.20200812103920-db41b5a3d14d/go.mod h1:FSzIvhx9HcZcq4jgNaDowNvM7PTX/XCyoMvyfzidUpE=
 github.com/owncloud/ocis-pkg/v2 v2.3.0 h1:bdDgfPkPdL3D6bGKhQ56pfwT1XdiKBtQ34qErVyXzys=
 github.com/owncloud/ocis-pkg/v2 v2.3.0/go.mod h1:FSzIvhx9HcZcq4jgNaDowNvM7PTX/XCyoMvyfzidUpE=
+github.com/owncloud/ocis-pkg/v2 v2.4.0 h1:/3ZOd4txtwjiNKJA9iLT9BjrJw5YgHSX13fQR4BYfGY=
 github.com/owncloud/ocis-pkg/v2 v2.4.0/go.mod h1:FSzIvhx9HcZcq4jgNaDowNvM7PTX/XCyoMvyfzidUpE=
 github.com/owncloud/ocis-settings v0.2.0 h1:pncwKQQdWGyUwO/+O10vcIrgGWWBAF9/PPWOCnD0DU4=
 github.com/owncloud/ocis-settings v0.2.0/go.mod h1:7+fRwpXe+njcsO0d9Bpxx3V8ZsF99JrL6jCeD9QuxUk=
 github.com/owncloud/ocis-settings v0.3.0 h1:w1wdqJiMtRNJ5B7sQemvtFQQod31G6dR468GxAV0Y2g=
 github.com/owncloud/ocis-settings v0.3.0/go.mod h1:vRge9QDkOsc6j76gPBmZs1Z5uOPrV4DIkZCgZCEFwBA=
+github.com/owncloud/ocis-settings v0.3.2-0.20200828130413-0cc0f5bf26fe h1:kiU5lz12R0LNJE1/zI2vxesZPWm6BvSO7hvZC8yOoAc=
+github.com/owncloud/ocis-settings v0.3.2-0.20200828130413-0cc0f5bf26fe/go.mod h1:vRge9QDkOsc6j76gPBmZs1Z5uOPrV4DIkZCgZCEFwBA=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c h1:rp5dCmg/yLR3mgFuSOe4oEnDDmGLROTvMragMUXpTQw=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c/go.mod h1:X07ZCGwUbLaax7L0S3Tw4hpejzu63ZrrQiUe6W0hcy0=
 github.com/parnurzeal/gorequest v0.2.15/go.mod h1:3Kh2QUMJoqw3icWAecsyzkpY7UzRfDhbRdTjtNwNiUE=
diff --git a/pkg/proto/v0/accounts.pb.micro_test.go b/pkg/proto/v0/accounts.pb.micro_test.go
index 596d5e510..7386e0cd1 100644
--- a/pkg/proto/v0/accounts.pb.micro_test.go
+++ b/pkg/proto/v0/accounts.pb.micro_test.go
@@ -1,27 +1,26 @@
 package proto_test
 
 import (
-	context "context"
+	"context"
 	"errors"
 	"fmt"
-	"github.com/micro/go-micro/v2/client"
-	"google.golang.org/genproto/protobuf/field_mask"
-	"google.golang.org/protobuf/types/known/timestamppb"
 	"log"
 	"os"
 	"path/filepath"
 	"testing"
 
+	"github.com/golang/protobuf/ptypes/empty"
+	"github.com/micro/go-micro/v2/client"
+	merrors "github.com/micro/go-micro/v2/errors"
 	"github.com/owncloud/ocis-accounts/pkg/command"
 	"github.com/owncloud/ocis-accounts/pkg/config"
 	"github.com/owncloud/ocis-accounts/pkg/proto/v0"
 	svc "github.com/owncloud/ocis-accounts/pkg/service/v0"
-
 	"github.com/owncloud/ocis-pkg/v2/service/grpc"
+	settings "github.com/owncloud/ocis-settings/pkg/proto/v0"
 	"github.com/stretchr/testify/assert"
-
-	"github.com/golang/protobuf/ptypes/empty"
-	merrors "github.com/micro/go-micro/v2/errors"
+	"google.golang.org/genproto/protobuf/field_mask"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
 var service = grpc.Service{}
@@ -31,6 +30,8 @@ const dataPath = "./accounts-store"
 var newCreatedAccounts = []string{}
 var newCreatedGroups = []string{}
 
+var mockedRoleAssignment = map[string]string{}
+
 func getAccount(user string) *proto.Account {
 	switch user {
 	case "user1":
@@ -165,7 +166,7 @@ func init() {
 	var hdlr *svc.Service
 	var err error
 
-	if hdlr, err = svc.New(svc.Logger(command.NewLogger(cfg)), svc.Config(cfg)); err != nil {
+	if hdlr, err = svc.New(svc.Logger(command.NewLogger(cfg)), svc.Config(cfg), svc.RoleService(buildRoleServiceMock())); err != nil {
 		log.Fatalf("Could not create new service")
 	}
 
@@ -186,6 +187,22 @@ func init() {
 	}
 }
 
+func buildRoleServiceMock() settings.RoleService {
+	return settings.MockRoleService{
+		AssignRoleToUserFunc: func(ctx context.Context, req *settings.AssignRoleToUserRequest, opts ...client.CallOption) (res *settings.AssignRoleToUserResponse, err error) {
+			mockedRoleAssignment[req.AccountUuid] = req.RoleId
+			fmt.Println(mockedRoleAssignment)
+			fmt.Println("asdf blablabla")
+			return &settings.AssignRoleToUserResponse{
+				Assignment: &settings.UserRoleAssignment{
+					AccountUuid: req.AccountUuid,
+					RoleId:      req.RoleId,
+				},
+			}, nil
+		},
+	}
+}
+
 func cleanUp(t *testing.T) {
 	datastore := filepath.Join(dataPath, "accounts")
 
@@ -598,7 +615,7 @@ func TestListAccounts(t *testing.T) {
 	checkError(t, err)
 
 	assert.IsType(t, &proto.ListAccountsResponse{}, resp)
-	assert.Equal(t, 7, len(resp.Accounts))
+	assert.Equal(t, 8, len(resp.Accounts))
 
 	assertResponseContainsUser(t, resp, getAccount("user1"))
 	assertResponseContainsUser(t, resp, getAccount("user2"))
@@ -612,7 +629,7 @@ func TestListWithoutUserCreation(t *testing.T) {
 	checkError(t, err)
 
 	// Only 5 default users
-	assert.Equal(t, 5, len(resp.Accounts))
+	assert.Equal(t, 6, len(resp.Accounts))
 	cleanUp(t)
 }
 
diff --git a/pkg/service/v0/option.go b/pkg/service/v0/option.go
index 7126aeed4..f0c5ece76 100644
--- a/pkg/service/v0/option.go
+++ b/pkg/service/v0/option.go
@@ -3,6 +3,7 @@ package service
 import (
 	"github.com/owncloud/ocis-accounts/pkg/config"
 	"github.com/owncloud/ocis-pkg/v2/log"
+	settings "github.com/owncloud/ocis-settings/pkg/proto/v0"
 )
 
 // Option defines a single option function.
@@ -10,8 +11,9 @@ type Option func(o *Options)
 
 // Options defines the available options for this package.
 type Options struct {
-	Logger log.Logger
-	Config *config.Config
+	Logger      log.Logger
+	Config      *config.Config
+	RoleService settings.RoleService
 }
 
 func newOptions(opts ...Option) Options {
@@ -37,3 +39,10 @@ func Config(val *config.Config) Option {
 		o.Config = val
 	}
 }
+
+// RoleService provides a function to set the role service option.
+func RoleService(val settings.RoleService) Option {
+	return func(o *Options) {
+		o.RoleService = val
+	}
+}
diff --git a/pkg/service/v0/service.go b/pkg/service/v0/service.go
index 8c8eaee9d..9fc2ad358 100644
--- a/pkg/service/v0/service.go
+++ b/pkg/service/v0/service.go
@@ -1,11 +1,10 @@
 package service
 
 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
-	mclient "github.com/micro/go-micro/v2/client"
-	mgrpc "github.com/micro/go-micro/v2/client/grpc"
 	"io/ioutil"
 	"os"
 	"path/filepath"
@@ -18,10 +17,13 @@ import (
 	"github.com/blevesearch/bleve/analysis/analyzer/standard"
 	"github.com/blevesearch/bleve/analysis/token/lowercase"
 	"github.com/blevesearch/bleve/analysis/tokenizer/unicode"
-
+	mclient "github.com/micro/go-micro/v2/client"
+	mgrpc "github.com/micro/go-micro/v2/client/grpc"
 	"github.com/owncloud/ocis-accounts/pkg/config"
 	"github.com/owncloud/ocis-accounts/pkg/proto/v0"
 	"github.com/owncloud/ocis-pkg/v2/log"
+	settings "github.com/owncloud/ocis-settings/pkg/proto/v0"
+	settings_svc "github.com/owncloud/ocis-settings/pkg/service/v0"
 )
 
 // New returns a new instance of Service
@@ -29,6 +31,10 @@ func New(opts ...Option) (s *Service, err error) {
 	options := newOptions(opts...)
 	logger := options.Logger
 	cfg := options.Config
+	roleService := options.RoleService
+	if roleService == nil {
+		roleService = settings.NewRoleService("com.owncloud.api.settings", mgrpc.NewClient())
+	}
 	// read all user and group records
 
 	accountsDir := filepath.Join(cfg.Server.AccountsDataPath, "accounts")
@@ -100,6 +106,23 @@ func New(opts ...Option) (s *Service, err error) {
 							{Id: "262982c1-2362-4afa-bfdf-8cbfef64a06e"}, // physics-lovers
 						},
 					},
+					// admin user(s)
+					{
+						Id:                       "058bff95-6708-4fe5-91e4-9ea3d377588b",
+						PreferredName:            "moss",
+						OnPremisesSamAccountName: "moss",
+						Mail:                     "moss@example.org",
+						DisplayName:              "Maurice Moss",
+						UidNumber:                20003,
+						GidNumber:                30000,
+						PasswordProfile: &proto.PasswordProfile{
+							Password: "$6$rounds=47068$lhw6odzXW0LTk/ao$GgxS.pIgP8jawLJBAiyNor2FrWzrULF95PwspRkli2W3VF.4HEwTYlQfRXbNQBMjNCEcEYlgZo3a.kRz2k2N0/",
+						},
+						AccountEnabled: true,
+						MemberOf: []*proto.Group{
+							{Id: "509a9dcd-bb37-4f4f-a01a-19dca27d9cfa"}, // users
+						},
+					},
 					// technical users for kopano and reva
 					{
 						Id:                       "820ba2a1-3f54-4538-80a4-2d73007e30bf",
@@ -135,6 +158,7 @@ func New(opts ...Option) (s *Service, err error) {
 					},
 				}
 				for i := range accounts {
+					// create account on disk
 					var bytes []byte
 					if bytes, err = json.Marshal(&accounts[i]); err != nil {
 						logger.Error().Err(err).Interface("account", &accounts[i]).Msg("could not marshal default account")
@@ -147,6 +171,21 @@ func New(opts ...Option) (s *Service, err error) {
 						return
 					}
 				}
+
+				// set role for admin users and regular users
+				assignRoleToUser("058bff95-6708-4fe5-91e4-9ea3d377588b", settings_svc.BundleUUIDRoleAdmin, roleService, logger)
+				for _, accountID := range []string{
+					"058bff95-6708-4fe5-91e4-9ea3d377588b",//moss
+				} {
+					assignRoleToUser(accountID, settings_svc.BundleUUIDRoleAdmin, roleService, logger)
+				}
+				for _, accountID := range []string{
+					"4c510ada-c86b-4815-8820-42cdf82c3d51",//einstein
+					"f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c",//marie
+					"932b4540-8d16-481e-8ef4-588e4b6b151c",//richard
+				} {
+					assignRoleToUser(accountID, settings_svc.BundleUUIDRoleUser, roleService, logger)
+				}
 			}
 		} else if !fi.IsDir() {
 			return nil, fmt.Errorf("%s is not a directory", accountsDir)
@@ -312,6 +351,18 @@ func New(opts ...Option) (s *Service, err error) {
 	return
 }
 
+func assignRoleToUser(accountID, roleID string, rs settings.RoleService, logger log.Logger) (ok bool) {
+	_, err := rs.AssignRoleToUser(context.Background(), &settings.AssignRoleToUserRequest{
+		AccountUuid: accountID,
+		RoleId:      roleID,
+	})
+	if err != nil {
+		logger.Error().Err(err).Str("accountID", accountID).Str("roleID", roleID).Msg("could not set role for account")
+		return false
+	}
+	return true
+}
+
 // Service implements the AccountsServiceHandler interface
 type Service struct {
 	id     string