Adding AD domain groups to /etc/sudoers
A recent discussion on the MacEnterprise list focused around how to give members of Active Directory groups the ability to run commands as root using the sudo command-line utility. This would allow the users in those groups the ability to run some or all commands with root privileges in Terminal without having to give those accounts administrative privileges on the Mac in question.
To do this, you would need to add an entry to the /etc/sudoers file. /etc/sudoers gives listed users or groups the ability to execute commands while having the privileges of the root user.
To edit /etc/sudoers safely, make sure to use the visudo utility. This application will do a sanity check on your changes to /etc/sudoers before putting them into production.
visudo uses vi as its editor. If you haven’t used vi previously, I recommend doing some research on vi commands before launching visudo.
Adding entries to /etc/sudoers
Adding the following entry to /etc/sudoers would allow you to give full sudo permissions to an AD group named ITadmins:
%DOMAIN\\ITadmins ALL=(ALL) ALL
Because a number of AD groups have spaces in the names, you’ll need to escape the spaces using backslashes. For example. adding the following entry to /etc/sudoers would allow you to give full sudo permissions to an AD group named Group Name With Spaces:
%DOMAIN\\Group\ Name\ With\ Spaces ALL=(ALL) ALL
In both cases, replace DOMAIN with your AD domain’s name.