Manage users role excluding one user

I’m trying to configure a role that can manage users and roles in the realm except for one user (“admin”).

This role should be able to create new users, new groups and assign users to the groups. But this role should be unable to delete or change the password for the “admin” user.
When I assign manage-users permission, the role can manage users and groups but I can not exclude admin user (or can I?). When I configure fine-grained permissions, I can exclude admin user but group management is not allowed (there is only “manage-group-membership” permission, I’m missing something like “manage-groups” permission).
Is there any way to achieve this requirement?
I need this “admin” user for the synchronization with the external applications (clients).