diff --git a/CHANGELOG.md b/CHANGELOG.md
index 65156dca..ee010c11 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -25,6 +25,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ### Changed
 
 * elasticsearch: Use `/etc/elasticsearch/jvm.options.d/evolinux` instead of default `/etc/elasticsearch/jvm.options`
+* evolinux-users: check permissions for /etc/sudoers.d
+* evolinux-users: optimize sudo configuration
 * lxc: Fail if /var is nosuid
 * openvpn: make it compatible with OpenBSD and add some improvements
 
diff --git a/evolinux-users/tasks/main.yml b/evolinux-users/tasks/main.yml
index 8f12ba1b..1b838e01 100644
--- a/evolinux-users/tasks/main.yml
+++ b/evolinux-users/tasks/main.yml
@@ -20,10 +20,6 @@
 
 - name: Configure sudo
   include: sudo.yml
-  vars:
-    user: "{{ item.value }}"
-  loop: "{{ evolinux_users | dict2items }}"
-  when: evolinux_users | length > 0
 
 - name: Configure SSH
   include: ssh.yml
diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml
index c27f5a29..4056e7ad 100644
--- a/evolinux-users/tasks/sudo.yml
+++ b/evolinux-users/tasks/sudo.yml
@@ -1,9 +1,21 @@
 ---
 
 - include: sudo_jessie.yml
-  when: ansible_distribution_release == "jessie"
+  vars:
+    user: "{{ item.value }}"
+  loop: "{{ evolinux_users | dict2items }}"
+  when:
+    - evolinux_users | length > 0
+    - ansible_distribution_release == "jessie"
 
-- include: sudo_stretch.yml
+
+- block:
+  - include: sudo_stretch_common.yml
+
+  - include: sudo_stretch_user.yml
+    vars:
+      user: "{{ item.value }}"
+    loop: "{{ evolinux_users | dict2items }}"
   when:
     - ansible_distribution_major_version is defined
     - ansible_distribution_major_version is version('9', '>=')
diff --git a/evolinux-users/tasks/sudo_stretch.yml b/evolinux-users/tasks/sudo_stretch_common.yml
similarity index 57%
rename from evolinux-users/tasks/sudo_stretch.yml
rename to evolinux-users/tasks/sudo_stretch_common.yml
index dc744c56..fb8f9ac7 100644
--- a/evolinux-users/tasks/sudo_stretch.yml
+++ b/evolinux-users/tasks/sudo_stretch_common.yml
@@ -1,5 +1,13 @@
 ---
 
+- name: "/etc/sudoers.d presence and permissions"
+  file:
+    path: /etc/sudoers.d
+    owner: root
+    group: root
+    mode: "0750"
+    state: directory
+
 - name: "Verify 'evolinux' sudoers file presence (Debian 9 or later)"
   template:
     src: sudoers_stretch.j2
@@ -13,15 +21,3 @@
   group:
     name: "{{ evolinux_sudo_group }}"
     system: yes
-
-- name: "Add user to '{{ evolinux_sudo_group }}' group (Debian 9 or later)"
-  user:
-    name: '{{ user.name }}'
-    groups: "{{ evolinux_sudo_group }}"
-    append: yes
-
-- name: "Add user to 'adm' group (Debian 9 or later)"
-  user:
-    name: '{{ user.name }}'
-    groups: "adm"
-    append: yes
diff --git a/evolinux-users/tasks/sudo_stretch_user.yml b/evolinux-users/tasks/sudo_stretch_user.yml
new file mode 100644
index 00000000..97f1f77d
--- /dev/null
+++ b/evolinux-users/tasks/sudo_stretch_user.yml
@@ -0,0 +1,13 @@
+---
+
+- name: "Add user to '{{ evolinux_sudo_group }}' group (Debian 9 or later)"
+  user:
+    name: '{{ user.name }}'
+    groups: "{{ evolinux_sudo_group }}"
+    append: yes
+
+- name: "Add user to 'adm' group (Debian 9 or later)"
+  user:
+    name: '{{ user.name }}'
+    groups: "adm"
+    append: yes