diff --git a/reactos/base/system/winlogon/sas.c b/reactos/base/system/winlogon/sas.c
index 38a0f72accb..24cf2d25722 100644
--- a/reactos/base/system/winlogon/sas.c
+++ b/reactos/base/system/winlogon/sas.c
@@ -1007,6 +1007,11 @@ DoGenericAction(
 
 DWORD WINAPI SetWindowStationUser(HWINSTA hWinSta, LUID* pluid, PSID psid, DWORD sidSize);
 
+BOOL
+AddAceToWindowStation(
+    IN HWINSTA WinSta,
+    IN PSID Sid);
+
 static
 BOOL AllowWinstaAccess(PWLSESSION Session)
 {
@@ -1069,6 +1074,8 @@ BOOL AllowWinstaAccess(PWLSESSION Session)
         goto Cleanup;
     }
 
+    AddAceToWindowStation(Session->InteractiveWindowStation, psid);
+
     ret = SetWindowStationUser(Session->InteractiveWindowStation,
                                &Stats.AuthenticationId,
                                psid,
diff --git a/reactos/base/system/winlogon/wlx.c b/reactos/base/system/winlogon/wlx.c
index 03f732636f5..4f3caad2901 100644
--- a/reactos/base/system/winlogon/wlx.c
+++ b/reactos/base/system/winlogon/wlx.c
@@ -1235,7 +1235,7 @@ CreateWindowStationAndDesktops(
     Session->InteractiveWindowStation = CreateWindowStationW(
         Session->InteractiveWindowStationName,
         0,
-        GENERIC_ALL,
+        MAXIMUM_ALLOWED,
         &DefaultSecurity);
     if (!Session->InteractiveWindowStation)
     {
@@ -1256,7 +1256,7 @@ CreateWindowStationAndDesktops(
         NULL,
         NULL,
         0, /* FIXME: Add DF_ALLOWOTHERACCOUNTHOOK flag? */
-        GENERIC_ALL,
+        MAXIMUM_ALLOWED,
         &UserDesktopSecurity);
     if (!Session->ApplicationDesktop)
     {
@@ -1272,7 +1272,7 @@ CreateWindowStationAndDesktops(
         NULL,
         NULL,
         0,
-        GENERIC_ALL,
+        MAXIMUM_ALLOWED,
         &DefaultSecurity);
     if (!Session->WinlogonDesktop)
     {
@@ -1288,7 +1288,7 @@ CreateWindowStationAndDesktops(
         NULL,
         NULL,
         0,
-        GENERIC_ALL,
+        MAXIMUM_ALLOWED,
         &DefaultSecurity);
     if(!Session->ScreenSaverDesktop)
     {