diff --git a/nixos/modules/services/system/nscd.nix b/nixos/modules/services/system/nscd.nix
index c2d0cd5d0eb..e11f7e049d8 100644
--- a/nixos/modules/services/system/nscd.nix
+++ b/nixos/modules/services/system/nscd.nix
@@ -52,6 +52,12 @@ in
           config.environment.etc."nscd.conf".source
         ];
 
+        # We use DynamicUser because in default configurations nscd doesn't
+        # create any files that need to survive restarts. However, in some
+        # configurations, nscd needs to be started as root; it will drop
+        # privileges after all the NSS modules have read their configuration
+        # files. So prefix the ExecStart command with "!" to prevent systemd
+        # from dropping privileges early. See ExecStart in systemd.service(5).
         serviceConfig =
           { ExecStart = "!@${pkgs.glibc.bin}/sbin/nscd nscd";
             Type = "forking";