Restrict useradd in linux sudoers

In linux sudoers, sudo, which restricts useradd, is familiar to everyone. It allows an account to execute some applications as other identities. The problem we encountered today is that we want tom users to manage system accounts. However, if tom executes useradd with-g root or useradd-G root for the tom account, security issues may occur. So you need to limit it. Of course, it is good to limit the passwd command: tom ALL = (ALL)/usr/bin/passwd [A-Za-z] *,! /Usr/bin/passwd root this is because passwd is followed by a very small number of parameters. For the useradd command, there are many parameters. This won't work, for example, tom ALL = (ALL)/usr/bin/passwd [A-Za-z] *,! /Usr/bin/passwd root,/usr/sbin/useradd [a-zA-Z] *,! /Usr/sbin/useradd-G root [a-zA-Z] * If sudo useradd-u 1000-G root user1 is executed, the operation can still be successful. I thought about it. I have to match any combination of-G and other parameters. After some tests, write: tom ALL = (ALL)/usr/bin/passwd [A-Za-z] *,! /Usr/bin/passwd root,/usr/sbin/useradd [a-zA-Z-/] *,! /Usr/sbin/useradd [a-zA-Z-/] *-G root [a-zA-Z-/] *,! /Usr/sbin/useradd [a-zA-Z-/] *-g root [a-zA-Z-/] * This does not include numbers or-g root, can be added according to similar times.