Restricting System Settings Access for Non-Sudo Users in Zorin OS

Dear Zorin Help Forum members,

I am currently in the testing phase of Zorin OS in an educational environment, with the goal of gradually migrating all our client machines to this operating system. As part of this transition, I have successfully integrated our client machines with our Active Directory infrastructure, enabling centralized user management and policies.

However, I am facing a major challenge: restricting access to almost all system settings for non-sudo users. My objective is to create a secure and consistent environment, where only authorized modifications can be made.

I aim to restrict access to a wide range of settings, including:

  1. Appearance: Prevent non-sudo users from modifying themes, wallpapers, system icons, and other appearance settings.
  2. Network: Restrict the ability to modify network connection settings, such as Wi-Fi, Ethernet, VPN configurations, etc.
  3. Sound and Multimedia: Limit changes to audio settings, output devices, multimedia codecs, etc.
  4. Display: Prevent non-sudo users from modifying display settings, such as resolution, orientation, brightness, etc.
  5. System: Restrict access to critical system settings, such as software updates, system services, users and groups management, etc.
  6. Security: Limit modifications to security settings, such as firewalls, certificates, file permissions, etc.

I have explored different approaches, including the use of Polkit rules, specific access rights, and other configuration mechanisms. However, I have not yet achieved the desired level of restriction.

In this testing phase, I am currently working on a single client machine to evaluate the feasibility of this configuration before deploying it to all machines. I also have an Ansible server at my disposal, which could facilitate the automation of certain configuration tasks.

I reach out to you, members of the Zorin Help Forum, to seek your expertise and advice. If you have already implemented similar restrictions in an educational environment with Active Directory integration on Zorin OS client machines, I would greatly appreciate your insights and recommendations.

Any information, tips, or suggestions regarding best practices, Zorin OS-specific configurations, the use of Ansible, or any other relevant approach would be highly valuable.

Thank you very much for your valuable support in this critical testing phase.

Best regards,

1 Like

One application you should swap out is Firefox for Firefox ESR as the Extended Service Release is the only version of Firefox that can be locked down. I thought that once you create /homes on the server for each user they should be assigned as Standard User.

Would be good if you can make contact with Zorin forum member 'Albano' in Italy who changed the High School IT Labs to Zorin in Vicenza Italy:

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.