diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix
index 895ecb122cb6..566398d839fd 100644
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@@ -100,8 +100,10 @@ in
         chgpasswd = { rootOK = true; };
       };
 
-    security.setuidPrograms = [ "passwd" "chfn" "su" "sg" "newgrp"
-      "newuidmap" "newgidmap"  # new in shadow 4.2.x
+    security.setuidPrograms = [ "su" "chfn" ]
+      ++ lib.optionals config.users.mutableUsers
+      [ "passwd" "sg" "newgrp"
+        "newuidmap" "newgidmap" # new in shadow 4.2.x
       ];
 
   };