If you don't trust your employees, though, why give them Linux at all? Windows and Mac make the perfect locked down / restrictive / don't trust people platforms out there. I mean, I understand locking down and securing a server, but a Linux desktop? The only value a Linux desktop has is the freedom to configure it how you like with the apps you like.
This seems like a minefield of clashes with distro-specific behavior. What happens if your system is using different software than what it expects or a policy that exists in Windows doesn't always make sense in the target environment? I wonder how it is being dealt with?
And what about more broad policies like denying filesystem write access?
My experience is quite the opposite. I have and still use both and find samba one of the more unreliable things. Freeipa does what it does with no issues.
Ironically I was trying to push for some rnd to run all of the GPOs for windows boxes as local policy ran by ansible. Just could stand all of the wonkyness AD introduced into the system.
We were doing everything Ansible does for the 95% case in 2002. Like, for 95% of use-cases, Ansible is absolutely no better than a conglomeration of tools from 2002. Definitely no reason to pay licensing.
Bonus: since it's version-agnostic (another win over Ansible if you've ever managed Tower/AAP/whatever next week) I'm still using that paradigm today because it works SO well. It's losing to Cinc or mgmtConfig but only because those are 1 and 2 generations newer than Ansible and do offer distinguishing features.