[sudo-users] ability to su to users in AD group

Dempsey, Steve AZ steve.az.dempsey at intel.com
Thu May 25 12:59:04 MDT 2017

I do not believe this can be done with su because there is no variable substitution
possible in a command, but have done something similar as follows:

%domaingroup ALL = (%domaingroup2) ALL

People in the privileged domaingroup can run:

> sudo -u user2 -i

to get a shell as anyone in the target domaingroup2.

-----Original Message-----
From: sudo-users [mailto:sudo-users-bounces at sudo.ws] On Behalf Of Landry, Stéphane
Sent: Thursday, May 25, 2017 10:59 AM
To: sudo-users at sudo.ws
Subject: [sudo-users] ability to su to users in AD group


I'm trying to limit the use of su to certain users in an AD group.

For example, I need something similar to the following in the sudoers file

%domaingroup ALL=(ALL) NOPASSWD: /bin/su - username

But instead of the username which works, I need to specify the AD group which has a list of usernames that get updated regularly. In this way I can control which domain users I can su as.

I'm looking for something like

%domaingroup ALL=(ALL) NOPASSWD: /bin/su - %domaingroup2

So that the users in domaingroup can take the identities of only the users in domaingroup2


Stephane Landry

sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:

More information about the sudo-users mailing list