diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml
index 5dfd257..01c03b0 100644
--- a/roles/users/tasks/main.yml
+++ b/roles/users/tasks/main.yml
@@ -6,13 +6,21 @@
     state: present
 
 - name: Grant sudo without PW to admins group
-  ansible.builtin.file:
+  ansible.builtin.template:
     src: roles/users/files/sudo_group_admins
     path: /etc/sudoers.d/admins
     owner: root
     group: root
     mode: '0440'
 
+- name: Enable sudoers.d subdir
+  lineinfile:
+    dest: /etc/sudoers
+    state: present
+    regexp: '^#includedir /etc/sudoers.d'
+    line: 'includedir /etc/sudoers.d'
+    validate: 'visudo -cf %s'
+
 - name: Ensure user "rulrich" exists
   ansible.builtin.user:
     name: rulrich