Unable to sudo with AD admin group

Question

Since updating to 10.15.3 we have been unable to sudo using an AD admin group.  After the update we noticed that the admin accounts were not able to elevate.  Running dsconfigad -groups &#034;DOMAINdomain admins&#034; has fixed the elevation issue but we are still getting &#034;account is not in the sudoers file...&#034; when we try to sudo.

I have followed various guides trying to fix this and basically where I have ended up is, if I put a username in the sudoers file it works but if I put an AD group in it doesn't.

I am using a command sent from jamf to create a file in sudoers.d and then echo the group in like this: touch /etc/sudoers.d/file | echo &#034;account ALL = (ALL) ALL&#034; > /etc/sudoers.d/file

If I replace &#034;account&#034; with a domain group: touch /etc/sudoers.d/file | echo &#034;%DOMAINADGroup ALL = (ALL) ALL&#034; > /etc/sudoers.d/file I get the same message about it not being in the sudoers file.  I have followed every guid I can find for adding a domain group to the sudoers file but none seem to work.  Any suggestions are appreciated!

Scott_Watkins · Answer

I find that if you are setting AD Groups to be admin it can be really hit or miss with macOS unless you make sure to add the AD Group directly to the local Admin group. Then it works perfectly.

sudo dseditgroup -o edit -a "DOMAINdomain admins" -t group admin

Give that a try, only needs to be ran once per computer. But the computers must be connected to the domain for Admin privileges to work.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded