diff --git a/setup.sh b/setup.sh
index febc3e1..b801090 100755
--- a/setup.sh
+++ b/setup.sh
@@ -455,9 +455,18 @@ configure_security() {
     log "Locking root password..."
     passwd -l root
     
-    # Lock sysadmin password
-    log "Locking sysadmin password..."
-    passwd -l "$SYSADMIN_USER"
+    # Lock sysadmin password only if an additional user was successfully created/configured
+    if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
+        # Verify the additional user actually exists and can be used
+        if id "$ADDITIONAL_USER" &>/dev/null && getent group sudo | grep -q "$ADDITIONAL_USER"; then
+            log "Locking sysadmin password (additional user $ADDITIONAL_USER is available)..."
+            passwd -l "$SYSADMIN_USER"
+        else
+            warn "Additional user $ADDITIONAL_USER not properly configured - keeping sysadmin password unlocked for safety"
+        fi
+    else
+        warn "No additional user created - keeping sysadmin password unlocked for access"
+    fi
     
     # Configure firewall if requested
     if [[ "$USE_UFW" == "yes" ]]; then
@@ -630,7 +639,13 @@ finalize_setup() {
     echo -e "${YELLOW}• Root SSH login: DISABLED${NC}"
     echo -e "${YELLOW}• Root password: LOCKED${NC}"
     echo -e "${YELLOW}• Sysadmin SSH login: DISABLED${NC}"
-    echo -e "${YELLOW}• Sysadmin password: LOCKED${NC}"
+    
+    # Show sysadmin password status based on actual configuration
+    if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]] && id "$ADDITIONAL_USER" &>/dev/null && getent group sudo | grep -q "$ADDITIONAL_USER"; then
+        echo -e "${YELLOW}• Sysadmin password: LOCKED (additional user available)${NC}"
+    else
+        echo -e "${RED}• Sysadmin password: UNLOCKED (no additional user or failed setup)${NC}"
+    fi
     echo -e "${YELLOW}• Main user: $SYSADMIN_USER (sudo access)${NC}"
     
     if [[ -n "$SYSADMIN_NEW_PASSWORD" ]]; then