diff --git a/nixos/tests/common/user-account.nix b/nixos/tests/common/user-account.nix
index ded8275000a..93aeb60e456 100644
--- a/nixos/tests/common/user-account.nix
+++ b/nixos/tests/common/user-account.nix
@@ -1,9 +1,14 @@
 { lib, ... }:
 
-{ users.extraUsers = lib.singleton
+{ users.extraUsers.alice =
     { isNormalUser = true;
-      name = "alice";
       description = "Alice Foobar";
       password = "foobar";
     };
+
+  users.extraUsers.bob =
+    { isNormalUser = true;
+      description = "Bob Foobar";
+      password = "foobar";
+    };
 }
diff --git a/nixos/tests/xfce.nix b/nixos/tests/xfce.nix
index 9f1f997db5f..c8b18f12265 100644
--- a/nixos/tests/xfce.nix
+++ b/nixos/tests/xfce.nix
@@ -15,6 +15,8 @@ import ./make-test.nix ({ pkgs, ...} : {
       services.xserver.displayManager.auto.user = "alice";
 
       services.xserver.desktopManager.xfce.enable = true;
+
+      environment.systemPackages = [ pkgs.xorg.xmessage ];
     };
 
   testScript =
@@ -32,5 +34,9 @@ import ./make-test.nix ({ pkgs, ...} : {
       $machine->waitForWindow(qr/Terminal/);
       $machine->sleep(10);
       $machine->screenshot("screen");
+
+      # Ensure that the X server does proper access control.
+      $machine->mustFail("su - bob -c 'DISPLAY=:0.0 xmessage Foo'");
+      $machine->mustFail("su - bob -c 'DISPLAY=:0 xmessage Foo'");
     '';
 })