diff --git a/modules/04-install-brew.sh b/modules/04-install-brew.sh
index 887c7a0..108802a 100755
--- a/modules/04-install-brew.sh
+++ b/modules/04-install-brew.sh
@@ -24,6 +24,23 @@ function ensureUserIsInAdminGroup() {
 	dseditgroup -o edit -a "${username}" -t user admin
 }
 
+function ensureUserCanRunPasswordlessSudo() {
+	local username=$1
+	local sudoersFile="/etc/sudoers.d/no-auth-sudo-for-${username}"
+	[[ -f ${sudoersFile} ]] && return
+	cat <<- SUDOERS > "${sudoersFile}"
+	Defaults:${username} !authenticate
+	SUDOERS
+	chown root:wheel "${sudoersFile}" || return 10
+	chmod u=rw,g=r,o= "${sudoersFile}" || return 20
+}
+
+function ensureUserCanNoLongerRunPasswordlessSudo() {
+	local username=$1
+	local sudoersFile="/etc/sudoers.d/no-auth-sudo-for-${username}"
+	[[ ! -f ${sudoersFile} ]] || rm ${sudoersFile}
+}
+
 function getFirstFreeRoleAccountID() {
 	local minUserID=450
 	local maxUserID=499
@@ -258,9 +275,11 @@ function configure_system() {
 	lop -y h1 -- -i 'Install System Homebrew'
 	createHomebrewUserIfNeccessary || return 10
 	indicateActivity 'Ensure Homebrew user is in admin group' ensureUserIsInAdminGroup ${homebrew_username} || return 11
+	indicateActivity 'Ensure Homebrew user can run passwordless sudo' ensureUserCanRunPasswordlessSudo ${homebrew_username} || return 12
 	ensureHomebrewCacheDirectory || return 13
 	ensureHomebrewLogDirectory || return 14
 	indicateActivity 'Install Homebrew core' installHomebrewCore || return 15
+	indicateActivity 'Ensure Homebrew user can nolonger run passwordless sudo' ensureUserCanNoLongerRunPasswordlessSudo ${homebrew_username} || return 20
 	indicateActivity 'Create brew caller script' createBrewCallerScript || return 16
 	indicateActivity 'Create brew periodic script' createBrewPeriodicScript || return 17
 	indicateActivity 'Install Homebrew updater' installHomebrewUpdater || return 18