diff --git a/domain-controller.yml b/domain-controller.yml
index 5e05f55..7e23bec 100644
--- a/domain-controller.yml
+++ b/domain-controller.yml
@@ -4,3 +4,17 @@
     include_vars: '{{ item }}'
     with_fileglob: vault/samba-dc/{{ krb5_realm }}
 - import_playbook: samba-dc.yml
+- hosts: samba-dc
+  roles:
+  - nsswitch
+  - system-auth
+  - sudo
+  tasks:
+  - name: ensure domain admins can use sudo
+    copy:
+      content: |
+        %domain\ admins ALL=(ALL) ALL
+        %{{ workgroup }}\\domain\ admins ALL=(ALL) ALL
+      dest: /etc/sudoers.d/10_domain-admins
+      mode: '0440'
+      validate: visudo -cf %s