Windows uses Group Policy (which isn't particularly secure for many reasons) while Linux uses configuration files (e.g. udev, AppArmor, stuff in /etc like fstab) in conjunction with file permissions. However, you can go way farther by compiling your own kernel that has certain functionality removed (e.g. USB mass storage).
Managing lots of configuration files/scripts across many thousands of servers, desktops, devices, etc is a long-solved problem. Most enterprises use Ansible or similar.
In almost every way, managing many thousands of Linux desktops is much simpler and more straightforward than Windows. If you're using Ansible playbooks, you can keep everything nice and tidy in a single place and everything you'd ever want to customize is managed via a plaintext file you can modify with your editor of choice.
You can organize them however you want or even use a GUI to change stuff (if you pay for Ansible Enterprise or whatever it's called... Or use one of the FOSS alternatives).
Managing Linux desktops at scale really isn't much different than managing Linux servers at scale.
Firefox has /usr/lib/firefox/distribution/policies.json which lets the sysadmin lock down what users can do with the browser. Example: If you wanted to block all extensions except for a whitelist, you could control that via that file.
There's a bazillion tools that let you manage files like that across thousands of servers/desktops but the hot one right now in enterprises is Ansible (which would make it trivial to push out an update to such a configuration).
Chrome has a similar file: /etc/opt/chrome/policies/managed/lockdown.json
"Ah yes, but what stops the user from downloading the portable version of a browser and using that?"
You can mount all user directories with +noexec. Also, Apparmor lets you control which applications can make network connections if you want to get really fine-grained.
Other applications have similar policy files. For example, Visual Studio Code has /etc/code/policy.json which—for example—would let your company lock down which extensions are allowed to be used/installed.
On a Linux desktop you can lock down waaaaay TF more stuff than Group Policy allows. The only difference is you need a sysadmin that knows what they're doing. You can't just point and click a button that prevents users from connecting USB devices. Instead, you use a combination of groups, udev rules, and systemd-logind. There's also ways to do it with PAM if you want.
The most popular way to control user desktops that I've seen is to have your user login via LDAP (just like AD), optionally with Kerberos and then have their permissions to various things controlled via those groups. For example, if you were building a "desktop policy" for Linux users across your organization, you'd probably make a .deb or .rpm that installs some udev rules that grant or deny access to various things based on which groups the users are in.
Of course, you can also control things down at the user level. You could put a script in /etc/profile.d/ that does whatever you want when the user logs in. You can even make it dependent on how they login (detect remote SSH session or local login).
There's also dconf and KDE's Kiosk mode if you really want to lock shit down to annoy TF out of your users (haha).
Once you've got your Linux desktops setup the way you want (which is usually just a matter of making your_company_desktop.deb or .rpm) to customize things/permissions, you have so much power to do things you can't do on Windows. The fine-grain control in Linux is unreal: You can give a specific user access to run and do very, very specific things as root (Windows Administrator equivalent) without much effort at all.
Linux also lets you lock down the hardware in ways Windows doesn't support. For example, you can chattr +i to make certain devices/files immutable. You could compile a custom kernel that doesn't even have USB mass storage support. What's more secure than that? Haha.
BTW: You can also make all USB mass storage devices read-only with a simple udev rule. You can even add exceptions for special things!
The time for regulatory action against Microsoft was thirty years ago and the need for it has only grown since then.
The FTC wasn't doing their job between 1980-2020 because of their ridiculous standard of, "if it doesn't raise consumer prices, it must be allowed." This lead to massive consolidation in many industries which of course ended up raising prices and hurting consumers anyway.
Recently they've had some wins but overall they're still failing to do their job.
No. Embrace, Extend, Extinguish was replaced by the AAA strategy: Acquire, Assimilate, Abandon. They were trying to be more Google-like with that "Abandon" step I think.
They've since moved on to the SSS strategy: Ship, Slip, Slop.
China has a minimum purchase price of corn that's set by the government in order to maintain food stocks. It's also part of a larger jobs program (that I don't know much about).
China also imports 80% of its soybeans which means it's based on the rising/falling prices of oil and whatnot.
In the US, soybeans are a very important crop that's fed to livestock and also used in biodiesel production. There's enormous soybean "crush" infrastructure in the US to support the biodiesel market and the side effect of this results in tons of extra soybean oil. It ultimately ends up with soybean oil being cheap compared to everything else.
Why does the minimum purchase price of corn in China not make corn oil, a derivative product, more expensive?
Why does the low price of soybean oil in the United States not make soybean oil cheaper in China?
If the reason corn oil is cheap in China is that it's imported separately from the grain and therefore immune to the price floor... wouldn't that imply that corn oil is also cheaper outside China?
This assumes that these companies aren't going to use smaller providers or hosting models themselves. THAT is the great big assumption going into all the Big AI funding.
I think it's a very, very bad assumption. After trying GLM-5 and Qwen3 on Ollama Cloud, not only were they faster than OpenAI's offerings (by a huge amount) it was just as good if not better at doing what I asked of it.
Claude Code is still superior to anything else but GLM-5 and Qwen3 are easily just as good as GPT-5.X (for coding).
I have two claude code subscriptions: a team plan through my employer and I'm paying for the $200/month plan outside of that.
Trading $200/month of my money for the ability to build all of the things I've been thinking about for years is a great trade for me. I've built more things for fun/potential profit in the last year than I did in the previous decade combined.
And of course, one of the things I've built is a version of what OP made that works exactly how I want it to work. :)
It’s so funny to me that every AI user feels the need to add this entire disclaimer about how it’s actually helping them build the Starship Enterprise from scratch or whatever every time someone even hints at it maybe being a little bit of a waste of money.
I build my own products and services and the effective ROI for paying for a more or less unlimited max Claude Code plan is fairly ridiculously positive.
Managing lots of configuration files/scripts across many thousands of servers, desktops, devices, etc is a long-solved problem. Most enterprises use Ansible or similar.
In almost every way, managing many thousands of Linux desktops is much simpler and more straightforward than Windows. If you're using Ansible playbooks, you can keep everything nice and tidy in a single place and everything you'd ever want to customize is managed via a plaintext file you can modify with your editor of choice.
You can organize them however you want or even use a GUI to change stuff (if you pay for Ansible Enterprise or whatever it's called... Or use one of the FOSS alternatives).
Managing Linux desktops at scale really isn't much different than managing Linux servers at scale.
reply