diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 61d367530..f3c6bad29 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,8 @@
+2008-07-09  Corinna Vinschen  <corinna@vinschen.de>
+
+	* sec_auth.cc (verify_token): Allow builtin groups missing in a token
+	and it's still valid.  Explain why.
+
 2008-07-09  Corinna Vinschen  <corinna@vinschen.de>
 
 	* autoload.cc (DsGetDcNameW): Replace DsGetDcNameA.
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index b2f1fe77d..db76fcd79 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -725,9 +725,14 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
 		  goto done;
 #endif
 	      }
-	  /* user.sgsids groups must be in the token */
+	  /* user.sgsids groups must be in the token, except for builtin groups.
+	     These can be different on domain member machines compared to
+	     domain controllers, so these builtin groups may be validly missing
+	     from a token created through password or lsaauth logon. */
 	  for (int gidx = 0; gidx < groups.sgsids.count (); gidx++)
-	    if (!saw[gidx] && !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx]))
+	    if (!saw[gidx]
+	    	&& !groups.sgsids.sids[gidx].is_well_known_sid ()
+		&& !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx]))
 	      goto done;
 	}
       /* The primary group must be in the token */