So I found a way to allow user to use sudo..
Edit the /etc/sudoers and add:
domain\\username ALL=(ALL:ALL) ALL
note "\\" between domain and the username
user must also be in the sudo group
sudo usermod -aG sudo username
That still leaves me wit allowing only some users access to PAM.