This was quite a head-scratcher. I wanted to remove a user sammy from the sudo group and did that by running this as root

root> deluser sammy sudo

However, when I logged in as sammy I was still able to run –

sammy> sudo su

Checking which groups the user belonged to was of no help either.

sammy> groups
sammy

I checked visudo again. The only line was the one below and even commenting it out didn’t help!

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

Finally, the answer at Superuser gave me a hint what was going on.

There’s a line at the bottom of the sudoers file

#includedir /etc/sudoers.d

This line makes it include files from /ect/sudoers.d/ directory. The # at the beginning of the line made it seem that it was commented out. But actually, the directive itself is #includedir with the leading #.

Looking into the /etc/sudoers.d/ directory, there was indeed a file with the following entry!

# User rules for sammy
sammy ALL=(ALL) NOPASSWD:ALL

This file, then, was overriding whatever I was doing using visudo. Deleting this file solved the problem!

Besides that offending file, there was also this very helpfule README file there.

#
# As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on
# installation of the package now includes the directive:
#
#       #includedir /etc/sudoers.d
#
# This will cause sudo to read and parse any files in the /etc/sudoers.d
# directory that do not end in '~' or contain a '.' character.
#
# Note that there must be at least one file in the sudoers.d directory (this
# one will do), and all files in this directory should be mode 0440.
#
# Note also, that because sudoers contents can vary widely, no attempt is
# made to add this directive to existing sudoers files on upgrade.  Feel free
# to add the above directive to the end of your /etc/sudoers file to enable
# this functionality for existing installations if you wish!
#
# Finally, please note that using the visudo command is the recommended way
# to update sudoers content, since it protects against many failure modes.
# See the man page for visudo for more information.
#

Live and learn, as they say.