Locking Down Linux Desktops In an Enterprise?

supermehra writes "How do you move 300 desktops, locked down with Windows ADS Group Policies (GPO), over to Ubuntu desktop? We have tried Centrify, Likewise, Gnome Gconf, and the like. Of course, we evaluated SuSe Desktop Enterprise and RedHat Desktop. Samba 4.0 promises the server side, however nothing for desktop lockdown. And while gnome gconf does offer promise, no real tools for remotely managing 300 desktops running gnome + gconf exist. All the options listed above are expensive, in fact so expensive that it's cheaper to leave M$ on! So while we've figured out the Office suite, email client, browser, VPN, drawing tools, and pretty much everything else, there seems to be no reasonable, open source alternative to locking down Linux terminals to comply with company policies. We're not looking for kiosk mode — we're looking for IT policy enforcement across the enterprise. Any ideas ladies & gentlemen?"

Re:M$

[Bryansix]

When a software company cuts off an operating system at the knees as Microsoft has done with XP in order to promote you to spend more money then the albeit childish acronym of "M$" does indeed apply. The sad part is that Vista STILL isn't ready for primetime and while Windows 7 shows promise as the real Vista SP2; it is not out yet and so you are stuck supporting users on an OS which isn't even for sale anymore.

Re:Isn't this something Unix solved decades ago?

[jamstar7]

This is true, if you don't want your employees to be productive beyond the 6 apps you've installed for them.. but if you want them to actually be able to use the wide variety of open source applications that are available then clearly they need to be able to run a package manager and install new apps. This basically means giving them root.

Let them screw around with package managers on their own time and their home machines. Letting users screw around with root access on a production machine is just asking for trouble. These machines belong to the company, not the user.

One of my clients demanded all his employees have administrator/superuser access on the company server. I told him no way, and why that was a bad idea. He insisted. I wrote him out a bill on the spot for time and services rendered, and gave him the number of a competitor with even less of a sense of humor than I have, then told him he'd be calling his new consultant on a daily basis as various users hosed their workstations and his servers. I also advised him to make sure the new consultant set him up with a damned good backup solution, he'd need it. Two days later, their new consultant called me up to bitch at me. I told him, 'Hey, consider it job security and charge 'em triple.'.