diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 1917f1f123..576414d193 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -652,6 +652,9 @@ PATH =
 ;; Default value for AllowCreateOrganization
 ;; Every new user will have rights set to create organizations depending on this setting
 ;DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+;; Default value for IsRestricted
+;; Every new user will have restricted permissions depending on this setting
+;DEFAULT_USER_IS_RESTRICTED = false
 ;;
 ;; Either "public", "limited" or "private", default is "public"
 ;; Limited is for users visible only to signed users
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index 1ec5164662..274c97543a 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -502,6 +502,7 @@ relation to port exhaustion.
 - `HCAPTCHA_SITEKEY`: **""**: Sign up at https://www.hcaptcha.com/ to get a sitekey for hcaptcha.
 - `DEFAULT_KEEP_EMAIL_PRIVATE`: **false**: By default set users to keep their email address private.
 - `DEFAULT_ALLOW_CREATE_ORGANIZATION`: **true**: Allow new users to create organizations by default.
+- `DEFAULT_USER_IS_RESTRICTED`: **false**: Give new users restricted permissions by default
 - `DEFAULT_ENABLE_DEPENDENCIES`: **true**: Enable this to have dependencies enabled by default.
 - `ALLOW_CROSS_REPOSITORY_DEPENDENCIES` : **true** Enable this to allow dependencies on issues from any repository where the user is granted access.
 - `ENABLE_USER_HEATMAP`: **true**: Enable this to display the heatmap on users profiles.
diff --git a/integrations/signup_test.go b/integrations/signup_test.go
index 5208a42ce5..66ff8ac2d7 100644
--- a/integrations/signup_test.go
+++ b/integrations/signup_test.go
@@ -10,6 +10,7 @@ import (
 	"strings"
 	"testing"
 
+	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/setting"
 	"github.com/stretchr/testify/assert"
 	"github.com/unknwon/i18n"
@@ -33,6 +34,28 @@ func TestSignup(t *testing.T) {
 	MakeRequest(t, req, http.StatusOK)
 }
 
+func TestSignupAsRestricted(t *testing.T) {
+	defer prepareTestEnv(t)()
+
+	setting.Service.EnableCaptcha = false
+	setting.Service.DefaultUserIsRestricted = true
+
+	req := NewRequestWithValues(t, "POST", "/user/sign_up", map[string]string{
+		"user_name": "restrictedUser",
+		"email":     "restrictedUser@example.com",
+		"password":  "examplePassword!1",
+		"retype":    "examplePassword!1",
+	})
+	MakeRequest(t, req, http.StatusFound)
+
+	// should be able to view new user's page
+	req = NewRequest(t, "GET", "/restrictedUser")
+	MakeRequest(t, req, http.StatusOK)
+
+	user2 := models.AssertExistsAndLoadBean(t, &models.User{Name: "restrictedUser"}).(*models.User)
+	assert.True(t, user2.IsRestricted)
+}
+
 func TestSignupEmail(t *testing.T) {
 	defer prepareTestEnv(t)()
 
diff --git a/modules/setting/service.go b/modules/setting/service.go
index dbabfb8400..a391926382 100644
--- a/modules/setting/service.go
+++ b/modules/setting/service.go
@@ -49,6 +49,7 @@ var Service = struct {
 	HcaptchaSitekey                         string
 	DefaultKeepEmailPrivate                 bool
 	DefaultAllowCreateOrganization          bool
+	DefaultUserIsRestricted                 bool
 	EnableTimetracking                      bool
 	DefaultEnableTimetracking               bool
 	DefaultEnableDependencies               bool
@@ -134,6 +135,7 @@ func newService() {
 	Service.HcaptchaSitekey = sec.Key("HCAPTCHA_SITEKEY").MustString("")
 	Service.DefaultKeepEmailPrivate = sec.Key("DEFAULT_KEEP_EMAIL_PRIVATE").MustBool()
 	Service.DefaultAllowCreateOrganization = sec.Key("DEFAULT_ALLOW_CREATE_ORGANIZATION").MustBool(true)
+	Service.DefaultUserIsRestricted = sec.Key("DEFAULT_USER_IS_RESTRICTED").MustBool(false)
 	Service.EnableTimetracking = sec.Key("ENABLE_TIMETRACKING").MustBool(true)
 	if Service.EnableTimetracking {
 		Service.DefaultEnableTimetracking = sec.Key("DEFAULT_ENABLE_TIMETRACKING").MustBool(true)
diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go
index 4095d2956e..7a205853bd 100644
--- a/routers/web/user/auth.go
+++ b/routers/web/user/auth.go
@@ -1204,10 +1204,11 @@ func SignUpPost(ctx *context.Context) {
 	}
 
 	u := &models.User{
-		Name:     form.UserName,
-		Email:    form.Email,
-		Passwd:   form.Password,
-		IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),
+		Name:         form.UserName,
+		Email:        form.Email,
+		Passwd:       form.Password,
+		IsActive:     !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),
+		IsRestricted: setting.Service.DefaultUserIsRestricted,
 	}
 
 	if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, false) {