diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 0370760ea..bdfd47175 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,9 @@
+2001-12-29  Corinna Vinschen  <corinna@vinschen.de>
+
+	* security.cc (open_local_policy): Initialize lsa handle to NULL.
+	Request only needed access rights in call to LsaOpenPolicy().
+	(create_token): Check for NULL lsa pointer.
+
 2001-12-28  Corinna Vinschen  <corinna@vinschen.de>
 
 	* cygwin.din: Add symbols for endutent(), getutent(), getutid(),
diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc
index cf30386e8..3147c8abe 100644
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@@ -181,9 +181,10 @@ static LSA_HANDLE
 open_local_policy ()
 {
   LSA_OBJECT_ATTRIBUTES oa = { 0, 0, 0, 0, 0, 0 };
-  LSA_HANDLE lsa = INVALID_HANDLE_VALUE;
+  LSA_HANDLE lsa = NULL;
 
-  NTSTATUS ret = LsaOpenPolicy(NULL, &oa, POLICY_ALL_ACCESS, &lsa);
+  NTSTATUS ret = LsaOpenPolicy(NULL, &oa, POLICY_VIEW_LOCAL_INFORMATION
+  					  | POLICY_LOOKUP_NAMES, &lsa);
   if (ret != STATUS_SUCCESS)
     set_errno (LsaNtStatusToWinError (ret));
   return lsa;
@@ -739,7 +740,7 @@ create_token (cygsid &usersid, cygsid &pgrpsid)
     goto out;
 
   /* Open policy object. */
-  if ((lsa = open_local_policy ()) == INVALID_HANDLE_VALUE)
+  if (!(lsa = open_local_policy ()))
     goto out;
 
   /* Get logon server. */