diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers
index affc316..1786748 100644
--- a/sudoers/files/sudoers
+++ b/sudoers/files/sudoers
@@ -1,3 +1,4 @@
+{% from "sudoers/map.jinja" import ad_group_maps with context %}
 {%- if (not included) %}
   {%- set sudoers = pillar.get('sudoers', {}) %}
   {%- if grains['os_family'] == 'Debian' %}
@@ -94,6 +95,13 @@ Runas_Alias {{ name }} = {{ ",".join(runas) }}
 %{{ group }} {{ spec }}
   {%- endfor %}
 {%- endfor %}
+{%- for unix_group in ad_groups %}
+  {%- if unix_group in ad_group_maps.keys() %}
+%{{ unix_group }} {{ ad_group_maps[unix_group] }}
+  {%- else %}
+%{{ unix_group }} {{ ad_group_maps['default'] }}
+  {%- endif %}
+{%- endfor %}
 
 {% if includedir %}
 ## Read drop-in files from /etc/sudoers.d
diff --git a/sudoers/init.sls b/sudoers/init.sls
index e93ce3c..6859af7 100644
--- a/sudoers/init.sls
+++ b/sudoers/init.sls
@@ -1,5 +1,8 @@
 {% from "sudoers/map.jinja" import sudoers with context %}
 
+# our list of plos core active directory groups
+{%- set ad_groups = salt['pillar.get']('group_map:core').keys() %}
+
 sudo:
   pkg.installed:
     - name: {{ sudoers.pkg }}
@@ -14,5 +17,6 @@ sudo:
     - check_cmd: {{ sudoers.get('exec-prefix', '/usr/sbin') }}/visudo -c -f
     - context:
         included: False
+        ad_groups: {{ ad_groups|tojson }}
     - require:
       - pkg: sudo
diff --git a/sudoers/map.jinja b/sudoers/map.jinja
index 92506c3..120fd2a 100644
--- a/sudoers/map.jinja
+++ b/sudoers/map.jinja
@@ -13,4 +13,24 @@
                 'config-path': '/usr/local/etc',
                 'exec-prefix': '/usr/local/sbin',
                 'group': 'wheel'},
-}, merge=salt['pillar.get']('sudoers:lookup')) %}
+}, merge=salt['pillar.get']('sudoers:lookup', None)) %}
+
+# our plos active directory core groups sudoers permissions, filtered by environment
+{% set ad_group_maps = salt['grains.filter_by']({
+    'default': { 'default': 'ALL = (root) NOEXEC:NOPASSWD: SUPPORT' },
+    'vagrant': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' },
+    'dev':     { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' },
+    'qa':      {
+                    'default': 'ALL = (root) NOEXEC:NOPASSWD: SUPPORT',
+                    'plosdev': 'ALL = (ALL:ALL) NOPASSWD: ALL',
+                    'plosqa': 'ALL = (ALL:ALL) NOPASSWD: ALL',
+               },
+    'stage':   {
+                    'default': 'ALL = (root) NOEXEC:NOPASSWD: SUPPORT',
+                    'plosdev': 'ALL = (ALL:ALL) NOPASSWD: ALL',
+                    'plosqa': 'ALL = (ALL:ALL) NOPASSWD: ALL'
+               }
+    },
+    grain='environment',
+    merge=salt['pillar.get']('group_maps:lookup', None))
+%}