diff --git a/files/admin_ssh_acl.ps1 b/files/admin_ssh_acl.ps1
new file mode 100644
index 0000000..33a595d
--- /dev/null
+++ b/files/admin_ssh_acl.ps1
@@ -0,0 +1,14 @@
+# Ansible Managed
+# set acl on administrators_authorized_keys
+$admins = ([System.Security.Principal.SecurityIdentifier]'S-1-5-32-544').Translate( [System.Security.Principal.NTAccount]).Value
+$acl = Get-Acl $Env:ProgramData\ssh\administrators_authorized_keys
+$acl.SetAccessRuleProtection($true, $false)
+$administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule($admins,"FullControl","Allow")
+$systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
+$acl.SetAccessRule($administratorsRule)
+$acl.SetAccessRule($systemRule)
+$acl | Set-Acl
+
+[System.IO.Directory]::CreateDirectory('.ansible\status')
+attrib +h .ansible
+Add-Content -Path .ansible\status\admin_ssh_acl.txt -Value "PS2 upgrades to PS3. See https://backwesen.de/voc/win_ansible_role_winrm.git"
diff --git a/tasks/pubkeys.yml b/tasks/pubkeys.yml
index b111047..843f869 100644
--- a/tasks/pubkeys.yml
+++ b/tasks/pubkeys.yml
@@ -14,3 +14,8 @@
     src: 'templates/ssh_keys.ps1'
     dest: '.ansible\ssh_keys.ps1'
   notify: 'Install SSH Keys'
+
+- name: Set Admin SSH ACL
+  ansible.builtin.script: files/admin_ssh_acl.ps1
+  args:
+    creates: '.ansible\status\admin_ssh_acl.txt'