diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index f645031a0..ce198e2df 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,9 @@
+2015-04-16  Corinna Vinschen  <corinna@vinschen.de>
+
+	* sec_acl.cc (set_posix_access): Replace previous patch.  Return
+	EINVAL if uid and/or guid is invalid and not backed by an actual
+	Windows account.
+
 2015-04-16  Corinna Vinschen  <corinna@vinschen.de>
 
 	* sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL.
diff --git a/winsup/cygwin/sec_acl.cc b/winsup/cygwin/sec_acl.cc
index 6c96977b7..58683cf9a 100644
--- a/winsup/cygwin/sec_acl.cc
+++ b/winsup/cygwin/sec_acl.cc
@@ -154,6 +154,11 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
   /* Fetch owner and group and set in security descriptor. */
   owner = sidfromuid (uid, &cldap);
   group = sidfromgid (gid, &cldap);
+  if (!owner || !group)
+    {
+      set_errno (EINVAL);
+      return NULL;
+    }
   status = RtlSetOwnerSecurityDescriptor (&sd, owner, FALSE);
   if (!NT_SUCCESS (status))
     {
@@ -166,10 +171,9 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
       __seterrno_from_nt_status (status);
       return NULL;
     }
-  /* If the account DBs are broken, we might end up without SIDs.  Better
-     check them here. */
-  if (owner && group)
-    owner_eq_group = RtlEqualSid (owner, group);
+  owner_eq_group = RtlEqualSid (owner, group);
+
+
 
   /* No POSIX ACL?  Use attr to generate one from scratch. */
   if (!aclbufp)