Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Group Policies / How to Configure Google Chrome Using Group Policy ADMX Templates?

October 8, 2019 Active DirectoryGroup PoliciesWindows 10

How to Configure Google Chrome Using Group Policy ADMX Templates?

In this article we’ll get acquainted with the Chrome Group Policy administrative templates (admx), provided by Google, that allow you to centrally manage browser settings in an Active Directory domain. Chrome`s ADMX GPO templates greatly simplifies the deployment and configuring of this browser in a corporate network. Also, we will show several typical tasks of managing Google Chrome settings using GPO and installing browser extensions.

Contents:
  • Installing GPO ADMX Templates for Google Chrome
  • Configuring Typical Google Chrome Settings via GPO
  • Configuring Proxy Server and Home Page with Chrome GPO
  • Deploying Google Chrome Extensions Using Group Policy

Installing GPO ADMX Templates for Google Chrome

In order to manage Chrome settings through Group Policies, you must download and install a special set of administrative GPO templates

    • Download and extract an archive with ADM/ADMX templates of Group Policies for Google Chrome ( http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip — the file size is about 13 MB);
    • There are 3 directories in the policy_templates:google chrome group policy admx templates
      1. chromeos (administrative templates for Chromium);
      2. common (contains html files with a full description of all Chrome policy settings – see chrome_policy_list.html file);chrome_policy_list.html help file
      3. windows – contains Chrome policy templates in two formats: ADM and ADMX (admx is a newer administrative policy format, supported starting from Windows Vista / Windows Server 2008 and newer);
        There is a chrome.reg file in the same directory. It contains an example of Chrome registry settings that can be set via the GPO. You can use examples from this reg file to directly import Chrome settings using Group Policy Preferences).
  • Copy the Chrome administrative template files to the C:\Windows\PolicyDefinitions directory (local administrative GPO templates are stored in this directory). In order for the Chrome Group Policy settings to be localized, you need to copy the corresponding ADML template files (folders en-US, de-De, etc…).
    Note. If you want to use Chrome policies in the Active Directory domain, you need to copy the ADMX and ADML files to a specific GPO directory (not the best option) or to PolicyDefinitions folder in SYSVOL on the domain controller.
  • Suppose, we are going to use the ADMX format of the GPO template and domain Central Policy Store. Copy the chrome.admx file and localization directories to the \\woshub.loc\SYSVOL\woshub.loc\Policies\PolicyDefinitions\PolicyDefinitions;Admx templates for Google Chrome
  • Open the domain Group Policy Management Console (gpmc.msc) and edit any existing GPO(or create a new one). Make sure that a new Google folder containing two subsections (Google Chrome and Google Chrome – Default Settings (users can override)) appeared both in User and Computer sections of Policies -> Administrative Templates;Google Chrome GPO
Tip. If you are not using the Central Store for Group Policies, you can add the GPO template for Google Chrome manually. To do it, right-click Administrative Templates and select Add/Remove Templates. In the next window specify the path to Chrome .adm file. It is better to specify the path in the UNC format, like this: \\woshub.loc\SYSVOL\woshub.loc\Policies\{60553A6F-2549-4C9E-B522-D3CF668E56B4}\Adm\chrome.adm.Add Chrome GPO templates to Group Policy

These administrative templates contain about 300+ different Google Chrome settings that you can manage. You can explore them yourself and configure the browser settings that are needed in your environment.

After you have installed the administrative group policy templates for the Google Chrome browser, you can proceed to configure Chrome settings on users’ computers.

Chrome Policy Settings

Configuring Typical Google Chrome Settings via GPO

Please note that Google Chrome settings are stored in two sections of Group Policy (both in Computer and User Configuration):

  • Google Chrome – users (and even the local administrator) cannot change the Chrome settings on their computer specified in this GPO section ;
  • Google Chrome – Default Settings (users can override) – recommended browser settings that users can change.

Let’s consider the basic Chrome settings that are often centrally configured in an enterprise environment:

  • Set Goggle Chrome as Default Browser: Enabled;
  • Set disk cache directory – path to the Chrome disk cache (as a rule it is  “${local_app_data}\Google\Chrome\User Data”);
  • Set disk cache size – disk cache size (in bytes);
  • Set Google Chrome Frame user data directory – Chrome directory with user settings “${local_app_data}\Google\Chrome\User Data”;
  • Managed Bookmarks;
  • Disable Chrome auto-update: Allow Installation: Disable, Update Policy Override: Enable and in the Policy field specify Updates Disable;
  • Add certain sites to trusted sites list – Policies HTTP Authentication -> Authentication server whitelist;
  • Allow Kerberos authentication in Chrome for a specific sites. Add a list of server and site addresses to the policy settings HTTP Authentication -> Kerberos Delegation Server Whitelist and Authentication Server Whitelist; chrome: enable kerberos auth for sites via group policy
  • Send anonymous usage statistics and crash information:  False;
  • Use a temporary Chrome profile (data is deleted after the user session ends). Ephemeral profile -> Enabled;
  • Block access to a list of URLs: add a list of websites to be blocked;
  • Change the location of the download folder: Set download directory: c:\temp\downloads.google chrome: change default download folder

Note that the ${local_app_data} directory corresponds to the folder %username%\AppData\Local, and ${roaming_app_data}  – to \%username%\AppData\Roaming.

A complete list of Chrome policy settings with detailed explanations can be found here https://cloud.google.com/docs/chrome-enterprise/policies/.

Configuring Proxy Server and Home Page with Chrome GPO

Let’s configure a proxy server in Chrome. We are interested in the following policy section: Google Chrome -> Proxy Server.

  • proxy server address: ProxyServer – 192.168.123.123:3128
  • an exception list for proxy: ProxyBypassList – http://www.woshub.local,192.168.*, *.corp.woshub.local

chrome: set proxy server address via gpo

Set a home page: Google Chrome -> Startup, Home page and New Tab page-> Configure the home page URL: http://woshub.com/

chrome policy: set homepage

It remains to link the policy to the desired container (OU) of Active Directory. Apply the group policy on a client by running the command:

gpupdate /force

gpupdate /force

Launch Chrome on the client and make sure that the settings specified in the GPO are applied (in the example on the screenshot, the user cannot change the values assigned by the administrator – “This settings is enforced by your administrator”).

You can troubleshoot group policy assignment on a desktop computer using gpresult.

chrome message: This settings is enforced by your administrator

And on the settings page, “Your browser is managed by your organization” is displayed.

chrome Your browser is managed by your organization

To display all Google Chrome settings that are set through the GPO, go to the Chrome://policy address (here the parameters specified through the registry or admx GPO template files are displayed).

chrome policy settings - summary

Deploying Google Chrome Extensions Using Group Policy

You can use ADMX templates to install certain Google Chrome extensions for all domain users.  For example, you want to automatically install the AdBlock extension on all computers. Open the chrome://extensions settings page and install the extension you need on your computer.

Now you need to get the extension ID and the URL from which the extension is updated. The Google Chrome Extension ID can be found in the extension properties (Developer mode must be enabled).

chrome get extension id

By ID, you need to find the extension folder in the user profile  C:\Users\%Username%\AppData\Local\ Google\Chrome\User Data\Default\Extensions\{id_here}.

In the extension folder find and open the manifest.json file and copy the value of the update_url. Most likely, you will see the following URL: https://clients2.google.com/service/update2/crx.

chrome file manifest.json with extension update_url

Now, in the GPO editor console, go to the Computer Configuration -> Policies -> Administrative Templates -> Google -> Google Chrome -> Extensions. Enable the policy Configure the list of force-installed extensions.

chrome gpo: Configure the list of force-installed extensions

Click the Show button and add a line for each extension that you want to install. Use the following format:

{extension_id_here};https://clients2.google.com/service/update2/crx

After applying to the user’s computers, all specified Chrome extensions will be installed in silent mode without interaction with the user.

install chrome extension via gpo

33 comments
0
Facebook Twitter Google + Pinterest
previous post
Wi-Fi Network Disappears After Sleep/Wake/Hibernate in Windows 10
next post
PowerShell: Generating QR Code for Wi-Fi Network in Windows 10

Related Reading

How to Sign a PowerShell Script (PS1) with...

February 25, 2021

How to Shadow (Remote Control) a User’s RDP...

February 22, 2021

Configuring PowerShell Script Execution Policy

February 18, 2021

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

33 comments

Jack Sheppard February 9, 2016 - 3:54 pm

In the last example you Set download directory: c:\temp\Downloads.
In my experiment all users’ downloads went there.
I tried c:\temp\Downloads\%username% but now I had the same result with all users’ downloads showing up in c:\temp\Downloads\%username%.
So how do I set this policy to give each user his/her own dir under Downloads?

Reply
Jack Sheppard February 9, 2016 - 4:41 pm

Also tried  ${user_name}

Reply
steve88 February 15, 2016 - 11:05 am

These settings must be applied through  User Configuration
Try c:\temp\downloads\%UserName%
or
c:\temp\downloads\%LogonUser%

Reply
Nick April 6, 2016 - 9:20 am

Is it works only in the domain? I am tested on PC, which not in the domain and Chrome Group Policies I was created didn’t have any effect on Chrome browser 🙁

Reply
admin April 8, 2016 - 7:44 am

The policy should be applied to the standalone computer too.Are you add Chrome administrative template to gpedit.msc console?

Reply
CUONG DANG April 11, 2016 - 3:54 pm

Do you want block manager password ?

Reply
Nasir Mulla July 16, 2016 - 7:12 am

i want to disable executing .exe’s by browsing via chrome. e.g. users can enter the path in the address bar c:\windows\system32\cmd.exe. Upon entering this command – the cmd.exe gets copied into the %temp% folder and can execute. how can i stop this behaviour.
pls help

Reply
René de Meijer August 3, 2016 - 9:25 am

Hello Nasir,
 
If this  behaviour can be stopped in Chrome I am unsure. However the cmd.exe can be restricted with following settings;
User Configuration – Policies – Administrative Templates – System
Policy: Don’t run specified Windows applications
Add cmd.exe
 
Apply this GPO to the users that need cmd restricted.
 
 

Reply
osama September 19, 2016 - 10:28 am

it’s not working ,
but when i chk Chrome://policy it’s shows me that there’s is policy but there’s is no effect . 

 
 

Current user

Mandatory

Platform

HomepageLocation

http://www.facebook.com

OK

 

Reply
Richard September 27, 2016 - 3:54 pm

We have a RDP farm, and Adobe PDF is very heavy on our servers with +/- 80 people per server.
Do you know how we can make it so that you cannot choose in Chrome to Always open pdf with Adobe Acrobat? (if you do’nt choose this, the pdf opens in chrome which is perfect).
I know how to reset it when chosen (but I cannot script it).

Reply
admin September 28, 2016 - 5:59 am

Open Chrome  about:plugins and make sure that Chrome PDF Viewer is enabled.

Next set chrome.exe as a default viewer for *.pdf files.

And simply delete  Adobe Acrobat from RDP servers

Reply
Enzo December 4, 2016 - 10:15 pm

Just like Osama, It doesn’t work for me too. When I check the Chrome://policy, it’s all there but somehow it doesn’t work.

homepage still google instead of what i’m setting to.

Reply
admin December 7, 2016 - 6:46 am

If you are using a domain policy, check that you don’t forget copy chrome.admx file and localization directories to the PolicyDefinitions folder on a DC

Reply
rino19ny March 29, 2017 - 7:24 am

how do you add a bookmark via this group policy?

Reply
لایسنس سیتریکس April 7, 2017 - 8:30 am

Thank you very much. We have deployed Citrix XenApp in a company and they have published google chrome. Our client requires that users have a predefined Proxy settings and this proxy settings can not be changed by users.
Your guidelines helped us.

Reply
CP June 8, 2017 - 5:44 pm

I am trying to get the Google Chrome template to appear in GPMC. On the DC I have copied the admx files to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions and the adml files to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-us. I have rebooted the DC several times, but the Google Chrome template still does not show up under Computer Configuration\Policies\Administrative Templates. I can see the Google Chrome template in gpedit.msc though. Is there something else I need to do?
Thanks

Reply
Wiran September 22, 2019 - 8:19 am

change the admx filename to .adm

Reply
Adrian May 16, 2018 - 8:24 pm

After installation, I created a GPO for chrome. Now I can’t open any webpage. Keeping getting an error saying the site is blocked.Also, every time I open Chrome, the websites example.com and chromium.org pops up automatically. How can I fix this issues. Thanks.

Reply
Max May 17, 2018 - 5:10 pm

Have you set up any policies for Chrome? Try to disable them all, turning it into the Disabled state

Reply
Chrome Extensions: Bypassing your security - Syspanda July 31, 2018 - 8:51 pm

[…] Here’s an article that explains how to setup the GPO so I won’t cover that. […]

Reply
Dan October 24, 2018 - 3:57 pm

I’m on Server 2012 R2 and have no Policy Definitions folder at C:\Windows\SYSVOL\sysvol\domain.local\Policies to begin with but I do have 21 folders with random GUID names (I’m presuming these are other GPs?)

Neither Microsoft’s nor Google’s documentation specifies if creating a Policy Definitions folder in there next to those other folders will affect anything.

Is it safe to just create the folder there next to all those other ones or will it affect them?

I’m thinking of creating it and only putting the Chrome GPs in it?

Reply
admin October 30, 2018 - 5:54 am

Yes, these 21 folders with GUIDs are your domain GPOs.
Create a folder in this directory called Policy Definitions and copy the admx Chrome files into it.
After some time, check that the folder \\dc1\SYSVOL\domain.com\Policies\Policy Definitions has appeared on all your DCs.

Reply
Brian Hoffman December 20, 2018 - 1:44 am

I only want to block the Chrome password manager from saving login credentials for a few websites where there is risk but really don’t want to block where there isn’t sensitive data. For example, I really don’t care if they save their login for ihatemyjob.com but don’t want them caching logins to banking sites etc. Anyway to block some and not all?

Reply
admin December 20, 2018 - 10:09 am

With Chrome GPO, you can only enable or disable password storage for all sites. I’m talking about the policy “Enable saving password to the password manager”. In terms of user security, it’s worth to set it to Disabled.
For example, I never save my passwords in the browser (especially from banking sites), it is not safe.

Reply
Govind July 8, 2019 - 1:31 pm

Is there a setting by which we can disable right click in Google Chrome?

Reply
Peter September 6, 2019 - 12:21 pm

The download link for the ADMX files appears to be dead 🙁

Reply
Wiran September 22, 2019 - 8:25 am

Hi, Peter the download link works fine I just download it

Reply
Wiran September 22, 2019 - 8:25 am

when I wanna add the chrome template is get a error: the follwing error occurred in “‘the path of the chrome.adm’ on line 1:
Error 51 unexpected keywordf
Foud: <?xml
Expecterd class, category, [strings]

The file cannot be loaded.

I which do i need to replace?

Reply
max October 7, 2019 - 9:16 am

Don’t use adm template files – this is a legacy option. Just put chrome admx and adml files into C:\Windows\PolicyDefinitions.

Reply
Cleyton October 15, 2019 - 4:55 pm

Is there any way to prevent users from installing any plugin on chrome?

Reply
Rob October 19, 2019 - 2:31 am

I have the ADMx and everything where it supposed to b. When I do an ajustment in GPO like bookmarks disable or disable F11 full screen I refresh chrome and check chrome://policy nothing has changed.
BE MINDED its on a local computer no domain no nothing.

Reply
Rob October 19, 2019 - 2:36 am

Never mind started working after 10 minutes, while I was typing this post. Very odd

Reply
admin October 21, 2019 - 7:31 am

It looks like the Chrome settings were applied after the Пroup Зolicy update cycle on your computer.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021
  • How to Move (Clone) Windows to a New Hard Drive (HDD/SSD)?

    February 4, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Get-ADUser: Getting Active Directory Users Info via PowerShell
  • Get-ADComputer: Find Computer Details in Active Directory with PowerShell
  • How to Find the Source of Account Lockouts in Active Directory domain?
  • Changing Desktop Background Wallpaper in Windows through GPO
  • How to Refresh AD Groups Membership without Reboot/Logoff?
  • Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top