diff --git a/winsup/cygwin/grp.cc b/winsup/cygwin/grp.cc
index 77cf6a72c..5f80d7aa7 100644
--- a/winsup/cygwin/grp.cc
+++ b/winsup/cygwin/grp.cc
@@ -428,10 +428,15 @@ gr_ent::enumerate_local ()
 				 ((PLOCALGROUP_INFO_0) buf)[cnt++].lgrpi0_name,
 				 sid, &slen, dom, &dlen, &acc_type))
 	    continue;
-	  if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */
+	  /* Skip builtin groups if we're enumerating AD as well to avoid
+	     duplication. Don't skip "Power Users" and "Device Owners"
+	     accounts, they don't show up in AD enumeration. */
+	  if (cygheap->dom.member_machine ()
+	      && nss_db_enum_primary ()
+	      && sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */
 	      && sid_sub_auth (sid, 0) == SECURITY_BUILTIN_DOMAIN_RID
-	      && cygheap->dom.member_machine ()
-	      && nss_db_enum_primary ())
+	      && sid_sub_auth (sid, 1) != DOMAIN_ALIAS_RID_POWER_USERS
+	      && sid_sub_auth (sid, 1) != DOMAIN_ALIAS_RID_DEVICE_OWNERS)
 	    continue;
 	  fetch_user_arg_t arg;
 	  arg.type = SID_arg;
diff --git a/winsup/cygwin/local_includes/winlean.h b/winsup/cygwin/local_includes/winlean.h
index 947109bde..5bf1be262 100644
--- a/winsup/cygwin/local_includes/winlean.h
+++ b/winsup/cygwin/local_includes/winlean.h
@@ -104,6 +104,10 @@ details. */
 #define FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS	0x00400000
 #endif
 
+#ifndef DOMAIN_ALIAS_RID_DEVICE_OWNERS
+#define DOMAIN_ALIAS_RID_DEVICE_OWNERS		(__MSABI_LONG(0x00000247))
+#endif
+
 /* So-called "Microsoft Account" SIDs (S-1-11-...) have a netbios domain name
    "MicrosoftAccounts".  The new "Application Container SIDs" (S-1-15-...)
    have a netbios domain name "APPLICATION PACKAGE AUTHORITY"