diff --git a/actions/add-ldap-user-to-group b/actions/add-ldap-user-to-group
index 448e5fd30..7cd104ce3 100755
--- a/actions/add-ldap-user-to-group
+++ b/actions/add-ldap-user-to-group
@@ -41,3 +41,28 @@ add: member
 member: uid=$username,ou=users,dc=thisbox
 EOF
 fi
+
+# For admin users, also need a posixAccount for sudo.
+if [ "$groupname" == "admin" ]; then
+    # check if sudo group already exists
+    results=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b 'ou=groups,dc=thisbox' -LLL "(cn=sudo)" cn)
+
+    if [ -z "$results" ]; then
+	# create sudo group
+	cat <<EOF |ldapadd -Y EXTERNAL -H ldapi:///
+dn: cn=sudo,ou=groups,dc=thisbox
+objectClass: posixGroup
+cn: sudo
+gidNumber: 27
+memberUid: $username
+EOF
+    else
+	# add user to sudo group
+	cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
+dn: cn=sudo,ou=groups,dc=thisbox
+changetype: modify
+add: memberUid
+memberUid: $username
+EOF
+    fi
+fi
diff --git a/actions/delete-ldap-user b/actions/delete-ldap-user
index 4eb8c89cc..9d16867e7 100755
--- a/actions/delete-ldap-user
+++ b/actions/delete-ldap-user
@@ -46,3 +46,15 @@ EOF
 	ldapdelete -Y EXTERNAL -H ldapi:/// "$dn"
     fi
 done <<< "$results"
+
+# update sudo group if needed
+results=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=sudo,ou=groups,dc=thisbox' -LLL "(memberUid=$username)")
+
+if [ -n "$results" ]; then
+    cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
+dn: cn=sudo,ou=groups,dc=thisbox
+changetype: modify
+delete: memberUid
+memberUid: $username
+EOF
+fi
diff --git a/actions/remove-ldap-user-from-group b/actions/remove-ldap-user-from-group
index e8d5bb8c6..4c0756b16 100755
--- a/actions/remove-ldap-user-from-group
+++ b/actions/remove-ldap-user-from-group
@@ -44,3 +44,17 @@ elif [ $? -eq 65 ]; then
 	exit 1
     fi
 fi
+
+if [ "$groupname" == "admin" ]; then
+    # update sudo group if needed
+    results=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=sudo,ou=groups,dc=thisbox' -LLL "(memberUid=$username)")
+
+    if [ -n "$results" ]; then
+	cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
+dn: cn=sudo,ou=groups,dc=thisbox
+changetype: modify
+delete: memberUid
+memberUid: $username
+EOF
+    fi
+fi
diff --git a/actions/rename-ldap-user b/actions/rename-ldap-user
index be01ecebd..8e49d5c4e 100755
--- a/actions/rename-ldap-user
+++ b/actions/rename-ldap-user
@@ -53,3 +53,22 @@ delete: member
 member: uid=$old_username,ou=users,dc=thisbox
 EOF
 done <<< "$results"
+
+# update sudo group if needed
+results=$(ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=sudo,ou=groups,dc=thisbox' -LLL "(memberUid=$old_username)")
+
+if [ -n "$results" ]; then
+    cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
+dn: cn=sudo,ou=groups,dc=thisbox
+changetype: modify
+delete: memberUid
+memberUid: $old_username
+EOF
+
+    cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
+dn: cn=sudo,ou=groups,dc=thisbox
+changetype: modify
+add: memberUid
+memberUid: $new_username
+EOF
+fi