diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 4abad85a2..0982043ab 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,8 @@
+2006-08-31  Corinna Vinschen  <corinna@vinschen.de>
+
+	* grp.cc (initgroups32): Run get_server_groups under original token.
+	* syscalls.cc (seteuid32): Slightly reorganize code creating a token.
+
 2006-08-27  Christopher Faylor  <cgf@timesys.com>
 
 	* child_info.h (child_info_spawn::~child_info_spawn): Don't close
diff --git a/winsup/cygwin/grp.cc b/winsup/cygwin/grp.cc
index c59f25fc0..20698ad5f 100644
--- a/winsup/cygwin/grp.cc
+++ b/winsup/cygwin/grp.cc
@@ -471,6 +471,7 @@ initgroups32 (const char *name, __gid32_t gid)
   if (wincap.has_security ())
     {
       ret = -1;
+      cygheap->user.deimpersonate ();
       struct passwd *pw = internal_getpwnam (name);
       struct __group32 *gr = internal_getgrgid (gid);
       cygsid usersid, grpsid;
@@ -492,6 +493,8 @@ initgroups32 (const char *name, __gid32_t gid)
   ret = 0;
 
  out:
+  if (wincap.has_security ())
+    cygheap->user.reimpersonate ();
   syscall_printf ( "%d = initgroups (%s, %u)", ret, name, gid);
   return ret;
 }
diff --git a/winsup/cygwin/syscalls.cc b/winsup/cygwin/syscalls.cc
index c56cb58f0..66839be95 100644
--- a/winsup/cygwin/syscalls.cc
+++ b/winsup/cygwin/syscalls.cc
@@ -2205,27 +2205,25 @@ seteuid32 (__uid32_t uid)
   if (new_token == INVALID_HANDLE_VALUE)
     {
       new_token = subauth (pw_new);
-      if (new_token == INVALID_HANDLE_VALUE)
+      debug_printf ("subauth %s, try create_token.",
+		    new_token == INVALID_HANDLE_VALUE ? "failed" : "succeeded");
+      HANDLE new_token2 = create_token (usersid, groups, pw_new, new_token);
+      if (new_token2 == INVALID_HANDLE_VALUE)
 	{
-	  debug_printf ("subauthentication failed, try create token.");
-	  new_token = create_token (usersid, groups, pw_new, NULL);
 	  if (new_token == INVALID_HANDLE_VALUE)
 	    {
+	      debug_printf ("create_token failed, bail out of here");
 	      cygheap->user.reimpersonate ();
 	      return -1;
 	    }
+	  debug_printf ("create_token failed, use original subauth token");
 	}
       else
         {
-	  debug_printf ("subauthentication succeeded, try create token.");
-	  HANDLE new_token2 = create_token (usersid, groups, pw_new, new_token);
-	  if (new_token2 == INVALID_HANDLE_VALUE)
-	    debug_printf ("create token failed, use original token");
-	  else
-	    {
-	      CloseHandle (new_token);
-	      new_token = new_token2;
-	    }
+	  debug_printf ("create_token succeeded");
+	  if (new_token != INVALID_HANDLE_VALUE)
+	    CloseHandle (new_token);
+	  new_token = new_token2;
 	}
       /* Keep at most one internal token */
       if (cygheap->user.internal_token != NO_IMPERSONATION)