Giving AD Domain Admins Root Access in Linux


The sudo command makes it very easy to give the Domain Admins, or any Active Directory group, root access on Linux workstations and servers.

The big prerequisite is that you have to have Samba and Winbind properly setup to authenticate your Linux boxes against Active Directory. Read Samba’s documentation[1][2] and refer to my InteropWiki notes for help.

Once you’re able to login into Linux as Active Directory user, running the id command should display something like this:

michael@mail:~$ id
uid=13930(michael) gid=10512(domain admins) groups=10512(domain admins),10513(domain users),11006(teachers),11607(sti everyone 2),11608(sti jr. high),11609(sti high school),11610(sti grade school)

Where groups=… is a list of the Active Directory groups of which your user is a member.

Run the visudo command as root:

michael@mail:~$ su –
Password: –root’s password–
mail:~# visudo

In the editor (probably vim or nano) scroll to the end and add the following line:

%domain\ admins ALL= ALL

The % sign means the following name is a group name, and you need the backslash in order to use group names with spaces. Vim’s syntax highlighting doesn’t seem to properly parse the group name after you use a slash, but sudo will know what you’re talking about.

Save the file, exit the editor, and now all of your Domain Admins have root access!

To run a command as root simply prepend the sudo command:

michael@mail:~$ sudo aptitude

You’ll be asked to enter your password (not root’s!) only once as long as you continue to use sudo within a specific timeout period.