diff --git a/src/routes/test/cloudron-test.js b/src/routes/test/cloudron-test.js
index 3ce1a067b..15ba31e32 100644
--- a/src/routes/test/cloudron-test.js
+++ b/src/routes/test/cloudron-test.js
@@ -52,6 +52,142 @@ describe('Cloudron API', function () {
         });
     });
 
+    describe('account setup', function () {
+        it('succeeds without pre-set username and display name', async function () {
+            const USER = {
+                email: 'setup1@account.com',
+                password: 'test?!3434543534',
+                username: 'setupuser1',
+                displayName: 'setup user1',
+            };
+
+            const response = await superagent.post(`${serverUrl}/api/v1/users`)
+                .query({ access_token: owner.token })
+                .send({ email: USER.email });
+            expect(response.statusCode).to.equal(201);
+            USER.id = response.body.id;
+
+            const response2 = await superagent.get(`${serverUrl}/api/v1/users/${USER.id}/invite_link`)
+                .query({ access_token: owner.token })
+                .ok(() => true);
+            expect(response2.statusCode).to.equal(200);
+
+            const response3 = await superagent.post(`${serverUrl}/api/v1/cloudron/setup_account`)
+                .send({
+                    inviteToken: require('url').parse(response2.body.inviteLink, true).query.inviteToken,
+                    password: USER.password,
+                    username: USER.username,
+                    displayName: USER.displayName
+                })
+                .ok(() => true);
+            expect(response3.statusCode).to.equal(201);
+            expect(response3.body.accessToken).to.be.a('string');
+
+            const response4 = await superagent.get(`${serverUrl}/api/v1/users/${USER.id}`)
+                .query({ access_token: owner.token })
+                .ok(() => true);
+
+            expect(response4.statusCode).to.equal(200);
+            expect(response4.body.username).to.equal(USER.username);
+            expect(response4.body.displayName).to.equal(USER.displayName);
+
+            const response5 = await superagent.post(`${serverUrl}/api/v1/cloudron/login`)
+                .send({ username: USER.username, password: USER.password });
+            expect(response5.statusCode).to.equal(200);
+        });
+
+        it('succeeds and overwrites with pre-set username and display name', async function () {
+            const USER = {
+                email: 'setup2@account.com',
+                password: 'test?!3434543534',
+                username: 'setupuser2',
+                displayName: 'setup user2',
+            };
+
+            const response = await superagent.post(`${serverUrl}/api/v1/users`)
+                .query({ access_token: owner.token })
+                .send({ email: USER.email, username: 'presetup', displayName: 'pre setup' });
+            expect(response.statusCode).to.equal(201);
+            USER.id = response.body.id;
+
+            const response2 = await superagent.get(`${serverUrl}/api/v1/users/${USER.id}/invite_link`)
+                .query({ access_token: owner.token })
+                .ok(() => true);
+            expect(response2.statusCode).to.equal(200);
+
+            const response3 = await superagent.post(`${serverUrl}/api/v1/cloudron/setup_account`)
+                .send({
+                    inviteToken: require('url').parse(response2.body.inviteLink, true).query.inviteToken,
+                    password: USER.password,
+                    username: USER.username,
+                    displayName: USER.displayName
+                })
+                .ok(() => true);
+            expect(response3.statusCode).to.equal(201);
+            expect(response3.body.accessToken).to.be.a('string');
+
+            const response4 = await superagent.get(`${serverUrl}/api/v1/users/${USER.id}`)
+                .query({ access_token: owner.token })
+                .ok(() => true);
+
+            expect(response4.statusCode).to.equal(200);
+            expect(response4.body.username).to.equal(USER.username);
+            expect(response4.body.displayName).to.equal(USER.displayName);
+
+            const response5 = await superagent.post(`${serverUrl}/api/v1/cloudron/login`)
+                .send({ username: USER.username, password: USER.password });
+            expect(response5.statusCode).to.equal(200);
+        });
+
+        it('succeeds and does not overwrite pre-set username and display name if profiles are locked', async function () {
+            const USER = {
+                email: 'setup3@account.com',
+                password: 'test?!3434543534',
+                username: 'setupuser3',
+                displayName: 'setup user3',
+            };
+
+            const response0 = await superagent.post(`${serverUrl}/api/v1/settings/directory_config`)
+                .query({ access_token: owner.token })
+                .send({ lockUserProfiles: true, mandatory2FA: false });
+            expect(response0.statusCode).to.equal(200);
+
+            const response = await superagent.post(`${serverUrl}/api/v1/users`)
+                .query({ access_token: owner.token })
+                .send({ email: USER.email, username: 'presetup', displayName: 'pre setup' });
+            expect(response.statusCode).to.equal(201);
+            USER.id = response.body.id;
+
+            const response2 = await superagent.get(`${serverUrl}/api/v1/users/${USER.id}/invite_link`)
+                .query({ access_token: owner.token })
+                .ok(() => true);
+            expect(response2.statusCode).to.equal(200);
+
+            const response3 = await superagent.post(`${serverUrl}/api/v1/cloudron/setup_account`)
+                .send({
+                    inviteToken: require('url').parse(response2.body.inviteLink, true).query.inviteToken,
+                    password: USER.password,
+                    username: USER.username,
+                    displayName: USER.displayName
+                })
+                .ok(() => true);
+            expect(response3.statusCode).to.equal(201);
+            expect(response3.body.accessToken).to.be.a('string');
+
+            const response4 = await superagent.get(`${serverUrl}/api/v1/users/${USER.id}`)
+                .query({ access_token: owner.token })
+                .ok(() => true);
+
+            expect(response4.statusCode).to.equal(200);
+            expect(response4.body.username).to.equal('presetup');
+            expect(response4.body.displayName).to.equal('pre setup');
+
+            const response5 = await superagent.post(`${serverUrl}/api/v1/cloudron/login`)
+                .send({ username: 'presetup', password: USER.password });
+            expect(response5.statusCode).to.equal(200);
+        });
+    });
+
     describe('login', function () {
         it('cannot login without body', async function () {
             const response = await superagent.post(`${serverUrl}/api/v1/cloudron/login`)
diff --git a/src/users.js b/src/users.js
index 8def089eb..f1165c65b 100644
--- a/src/users.js
+++ b/src/users.js
@@ -782,9 +782,15 @@ async function setupAccount(user, data, auditSource) {
     assert(auditSource && typeof auditSource === 'object');
 
     const directoryConfig = await settings.getDirectoryConfig();
-    if (directoryConfig.lockUserProfiles) return;
 
-    await update(user, { username: data.username, displayName: data.displayName, inviteToken: '' }, auditSource);
+    var tmp = { inviteToken: '' };
+
+    if (!directoryConfig.lockUserProfiles) {
+        tmp.username = data.username;
+        tmp.displayName = data.displayName;
+    }
+
+    await update(user, tmp, auditSource);
 
     await setPassword(user, data.password, auditSource);