Hi Fabrice,
Thanks for the info's. I guess what i really like to accomplish is to totally not allow AD users to do su or sudo at my X server (total lockdown if you may).
My AD users are given a specific AD group before they can get in to my linux box. So since we know what group they belong to (and since this an AD group), do you think controlling the group is better than every AD users?
tia again,
--Sid