diff --git a/winsup/cygwin/release/2.12.0 b/winsup/cygwin/release/2.12.0
index 5835952ee..c2abc9329 100644
--- a/winsup/cygwin/release/2.12.0
+++ b/winsup/cygwin/release/2.12.0
@@ -81,3 +81,6 @@ Bug Fixes
 - Fix thread names in GDB when cygthreads get reused.
 
 - Fix return value of gethostname in a border case.
+
+- Disallow seteuid on disabled or locked out accounts.
+  Addresses: https://cygwin.com/ml/cygwin/2019-01/msg00197.html
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index d4c2701da..8fdfa3a86 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -553,6 +553,21 @@ get_server_groups (cygsidlist &grp_list, PSID usersid)
       && sid_sub_auth (usersid, 0) == SECURITY_NT_NON_UNIQUE
       && get_logon_server (domain, server, DS_IS_FLAT_NAME))
     {
+      NET_API_STATUS napi_stat;
+      USER_INFO_1 *ui1;
+      bool allow_user = false;
+
+      napi_stat = NetUserGetInfo (server, user, 1, (LPBYTE *) &ui1);
+      if (napi_stat == NERR_Success)
+	allow_user = !(ui1->usri1_flags & (UF_ACCOUNTDISABLE | UF_LOCKOUT));
+      if (ui1)
+	NetApiBufferFree (ui1);
+      if (!allow_user)
+	{
+	  debug_printf ("User denied: %W\\%W", domain, user);
+	  set_errno (EACCES);
+	  return false;
+	}
       get_user_groups (server, grp_list, user, domain);
       get_user_local_groups (server, domain, grp_list, user);
     }