diff --git a/CHANGELOG b/CHANGELOG
index 7fbfa5e73773cfb707491da4c2c0408f312021a6..09f2c44e02cda58d86b5c2890126070ca0c819f0 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -53,6 +53,7 @@ v 8.10.0 (unreleased)
   - Fix importer for GitHub Pull Requests when a branch was reused across Pull Requests
   - Add date when user joined the team on the member page
   - Fix 404 redirect after validation fails importing a GitLab project
+  - Added setting to set new users by default as external !4545 (Dravere)
 
 v 8.9.5
   - Add more debug info to import/export and memory killer. !5108
diff --git a/app/controllers/admin/application_settings_controller.rb b/app/controllers/admin/application_settings_controller.rb
index cbdf285989819b6a7959eaa6d131046c169ef20e..23ba83aba0e7c942745eb9d524f18c93503d13bb 100644
--- a/app/controllers/admin/application_settings_controller.rb
+++ b/app/controllers/admin/application_settings_controller.rb
@@ -87,6 +87,7 @@ def application_setting_params
       :version_check_enabled,
       :admin_notification_email,
       :user_oauth_applications,
+      :user_default_external,
       :shared_runners_enabled,
       :shared_runners_text,
       :max_artifacts_size,
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index 7bf618d60b9a1b329d38d8f6da015b5646b0a92b..c6f77cc055f4908fb6325b41f331924562fa757a 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -142,6 +142,7 @@ def self.create_from_defaults
       send_user_confirmation_email: false,
       container_registry_token_expire_delay: 5,
       repository_storage: 'default',
+      user_default_external: false,
     )
   end
 
diff --git a/app/models/user.rb b/app/models/user.rb
index 695a47ba6eb96aedf399fcc3ce8e863145d415d4..79c670cb35ac5fd89cbb350b2d057ef1bff5e2bb 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -15,7 +15,7 @@ class User < ActiveRecord::Base
   add_authentication_token_field :authentication_token
 
   default_value_for :admin, false
-  default_value_for :external, false
+  default_value_for(:external) { current_application_settings.user_default_external }
   default_value_for :can_create_group, gitlab_config.default_can_create_group
   default_value_for :can_create_team, false
   default_value_for :hide_no_ssh_key, false
diff --git a/app/views/admin/application_settings/_form.html.haml b/app/views/admin/application_settings/_form.html.haml
index eb325576e4f99d340e900282ed7eb2d93edb0482..8de28528cda4593e9bdd0cc44c708b8063a54bf4 100644
--- a/app/views/admin/application_settings/_form.html.haml
+++ b/app/views/admin/application_settings/_form.html.haml
@@ -100,6 +100,13 @@
           = f.label :user_oauth_applications do
             = f.check_box :user_oauth_applications
             Allow users to register any application to use GitLab as an OAuth provider
+    .form-group
+      = f.label :user_default_external, 'New users set to external', class: 'control-label col-sm-2'
+      .col-sm-10
+        .checkbox
+          = f.label :user_default_external do
+            = f.check_box :user_default_external
+            Newly registered users will by default be external
 
   %fieldset
     %legend Sign-in Restrictions
diff --git a/db/migrate/20160608211215_add_user_default_external_to_application_settings.rb b/db/migrate/20160608211215_add_user_default_external_to_application_settings.rb
new file mode 100644
index 0000000000000000000000000000000000000000..34c702e3fa62cc16378808583285a3ae4070b8a1
--- /dev/null
+++ b/db/migrate/20160608211215_add_user_default_external_to_application_settings.rb
@@ -0,0 +1,13 @@
+class AddUserDefaultExternalToApplicationSettings < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default(:application_settings, :user_default_external, :boolean,
+                            default: false, allow_null: false)
+  end
+
+  def down
+    remove_column(:application_settings, :user_default_external)
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 68b9425253cc099ab0fe001ad5699cbbc0592f44..a5eea3a697cba601c92b28fe5578570b3b90f162 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -84,6 +84,7 @@
     t.string   "health_check_access_token"
     t.boolean  "send_user_confirmation_email",          default: false
     t.integer  "container_registry_token_expire_delay", default: 5
+    t.boolean  "user_default_external",                 default: false,        null: false
     t.text     "after_sign_up_text"
     t.string   "repository_storage",                    default: "default"
     t.string   "enabled_git_access_protocol"
diff --git a/doc/permissions/permissions.md b/doc/permissions/permissions.md
index 963b35de3a05b7752e5624bef797d91e5488dde7..44f3f6d3b1279f02ff374f5295be65cce84c7a60 100644
--- a/doc/permissions/permissions.md
+++ b/doc/permissions/permissions.md
@@ -99,3 +99,6 @@ An administrator can flag a user as external [through the API](../api/users.md)
 or by checking the checkbox on the admin panel. As an administrator, navigate
 to **Admin > Users** to create a new user or edit an existing one. There, you
 will find the option to flag the user as external.
+
+By default new users are not set as external users. This behavior can be changed
+by an administrator under **Admin > Application Settings**.
\ No newline at end of file
diff --git a/lib/gitlab/current_settings.rb b/lib/gitlab/current_settings.rb
index 54b46e5d23f8eb3571d1c0c098560dbe6a0d248c..ffc1814b29d631a7b640586a89445dd859e10aa9 100644
--- a/lib/gitlab/current_settings.rb
+++ b/lib/gitlab/current_settings.rb
@@ -48,6 +48,7 @@ def fake_application_settings
         akismet_enabled: false,
         repository_checks_enabled: true,
         container_registry_token_expire_delay: 5,
+        user_default_external: false,
       )
     end
 
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 328254ed56b738256423bb22fb1abe2dc8087658..3984b30ddf8a11f5df51fc4633537d7c3740bf0b 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -446,6 +446,7 @@
       it { expect(user.can_create_group?).to be_truthy }
       it { expect(user.can_create_project?).to be_truthy }
       it { expect(user.first_name).to eq('John') }
+      it { expect(user.external).to be_falsey }
     end
 
     describe 'with defaults' do
@@ -468,6 +469,26 @@
         expect(user.theme_id).to eq(1)
       end
     end
+
+    context 'when current_application_settings.user_default_external is true' do
+      before do
+        stub_application_setting(user_default_external: true)
+      end
+
+      it "creates external user by default" do
+        user = build(:user)
+
+        expect(user.external).to be_truthy
+      end
+
+      describe 'with default overrides' do
+        it "creates a non-external user" do
+          user = build(:user, external: false)
+
+          expect(user.external).to be_falsey
+        end
+      end
+    end
   end
 
   describe '.find_by_any_email' do