I know that root can modify any config file.
As a best practice, I would like to disable the capacity for root to su on accounts which authenticates against NIS or Active Directory.
As a best practice, I would like to allow root to su only on local accounts. My definition of a local account is any line with an id in /etc/passwd (because of the +user:::::: for NIS access).
I guess it would involve modifying the pam config, but I'm not clear on the how.