How to Prevent Users from Changing Specific Settings in Ubuntu / Mint

Want to lock down specific system settings, such as extensions and printer accessibility, to prevent others from changing them in Ubuntu or Linux Mint? Here’s how to do the trick step by step with screenshots!

NOTE: this tutorial is tested and works on Ubuntu 20.04, Ubuntu 22.04, Linux Mint 20 (Cinnamon), and Fedora Workstation. It should also works on other Linux with GNOME desktop.

After following this tutorial, certain desktop settings will be applied and locked for ALL users in system! Though, user with sudo privilege (aka administrator) may un-lock them by editing the config files.

Step 1: Create user profile for dconf.

As you may know, dconf is a low-level configuration system for GNOME. Usually, we use ‘Dconf Editor‘ or ‘gsettings‘ command to configure hidden settings that are not available in Gnome Control Center and Gnome Tweaks.

Dconf has a feature to lock down certain settings, so all system configuration tool cannot change them any longer. However, we need to first create a user profile for it.

Fedora 35 already has the profile!!! So just skip this step. Verify it via cat /etc/dconf/profile/user command

Firstly, search for and open a ‘terminal’ window from Activities overview screen (or start menu).

Next, run the single command to create a profile file ‘user‘ under /etc/dconf directory. And, write the 2 lines (user-db:user and system-db:local) into the file:

sudo sh -c 'echo "user-db:user\nsystem-db:local">/etc/dconf/profile/user'

And, verify the profile via command:

cat /etc/dconf/profile/user
Create ‘user’ profile for dconf
Linux Mint 20 need to first run sudo mkdir -p /etc/dconf/profile to create the 'profile' folder!

Step 2: Specify key values for certain settings you want to lock!

Say you want to lock background wallpaper and disable printing, firstly you need to write these settings into a config file!

1. Firstly, run command in terminal to create ‘/etc/dconf/db/local.d/locks‘ folder in case it does NOT exist:

sudo mkdir -p /etc/dconf/db/local.d/locks

2. Next, create a config file under ‘local.d‘ and edit it via command:

sudo gedit /etc/dconf/db/local.d/00-lockdown
For Linux Mint Cinnamon, replace gedit with xed text editor

3. When files opens in text editor, input something like this:

[org/gnome/desktop/background]

# URI to use for the background image
picture-uri='file:///usr/share/backgrounds/Ubuntu_by_Abubakar_NK.jpg'

[org/gnome/desktop/lockdown]

# prevent user from printing 
disable-printing=true

Here I set the background image for ‘org/gnome/desktop/background/picture-uri’ and true for ‘org/gnome/desktop/lockdown/disable-printing’. Change these lines accordingly or add more as you mind! For example, set enabled extensions via:

[org/gnome/shell]
# All extensions you want to have enabled for all users
enabled-extensions=['ubuntu-appindicators@ubuntu.com', 'ubuntu-dock@ubuntu.com', 'user-theme@gnome-shell-extensions.gcampax.github.com']

Tip: You may install and use ‘Dconf Editor‘ to find out the keys & values.

Set the values for settings you want to lock!

Step 3: List the keys you want to lock in config file!

Now create a new config file under ‘/etc/dconf/db/local.d/locks‘ directory, and write down the keys will lock them to the values you set in Step 2.

To do so, run command to create and edit config file:

sudo gedit /etc/dconf/db/local.d/locks/lockdown

When the file opens, add similar lines:

# Prevent changes to the following keys:

/org/gnome/desktop/background/picture-uri
/org/gnome/desktop/lockdown/disable-printing

Add more lines (one key per line) if have more set in Step 2.

Lock keys (one key per line)

Step 4: Update dconf database:

It’s important to update the database by running command in terminal, so all the previous steps will apply immediately!!

sudo dconf update

NOTE: after running this command. The key values in step 2 take effect and lock down for ALL USERS in system. The lock down applies immediately, but the key values may not for non-current user that’s already logged in.

All configuration tools (e.g., Gnome Tweaks, Settings, dconf editor, or gsettings) can NO longer change these settings until un-lock them via administrator privilege.

Exit mobile version