diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 7a5c074e536..4b75a9d9f0e 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -908,10 +908,8 @@ static void test_AccessCheck(void)
                       PrivSet, &PrivSetLen, &Access, &AccessStatus);
     ok(ret, "AccessCheck failed with error %d\n", GetLastError());
     err = GetLastError();
-    todo_wine
     ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
        "with ERROR_ACCESS_DENIED, instead of %d\n", err);
-    todo_wine
     ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
 
     CloseHandle(Token);
diff --git a/server/token.c b/server/token.c
index b6ba50d2254..665ed48c032 100644
--- a/server/token.c
+++ b/server/token.c
@@ -895,11 +895,15 @@ static unsigned int token_access_check( struct token *token,
 
     /* 4: Grant rights according to the DACL */
     ace = (const ACE_HEADER *)(dacl + 1);
-    for (i = 0; i < dacl->AceCount; i++)
+    for (i = 0; i < dacl->AceCount; i++, ace = ace_next( ace ))
     {
         const ACCESS_ALLOWED_ACE *aa_ace;
         const ACCESS_DENIED_ACE *ad_ace;
         const SID *sid;
+
+        if (ace->AceFlags & INHERIT_ONLY_ACE)
+            continue;
+
         switch (ace->AceType)
         {
         case ACCESS_DENIED_ACE_TYPE:
@@ -937,8 +941,6 @@ static unsigned int token_access_check( struct token *token,
             * rights we need */
         if (desired_access == *granted_access)
             break;
-
-        ace = ace_next( ace );
     }
 
 done: