According to statistics, the most popular browser nowadays is Google Chrome, but its position in corporate networks is not so strong, and many administrators avoid using Google Chrome in the AD domain network because it is quite difficult to manage and update t from central location. In this article we’ll get acquainted with the administrative templates (admx) of group policies, provided by Google, that allow to manage Chrome settings from central location and make it easier to deploy and use this browser in corporate networks. Also, we will show several typical tasks of managing of the Google Chrome settings using GPO.
Importing Chrome Administrative Templates
The administrative templates of the GPO for Google Chrome are deployed as follows:
- Download and unpack an archive with ADM/ADMX templates of Group Policies for Google Chrome ( http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip the file size is about 13 MB).
- There are two types of group policy templates for Windows OS in the archive: ADM and ADMX (the latter is supported in the OS since Windows Vista / 2008 and above).
- Copy the files of an administrative template to the directory where they are to be stored. If you want group policy templates to be localized, don’t forget to copy the corresponding template file.Note. Local administrative GPO templates are stored in C:\Windows\PolicyDefinitions, but if you are going to use policy templates for Chrome in the Active Directory domain environment, you can save them to the folder of a certain policy (not the best option) or to PolicyDefinitions directory in SYSVOL on the domain controller.
- Suppose, we are going to use the ADMX format of the GPO template and centralized domain storage of policies. Copy chrome.admx file and localization directories to \\woshub.loc\SYSVOL\woshub.loc\Policies\PolicyDefinitions
- Open the Group Policy Management Console (gpmc.msc) and edit any existing policy (or create a new one). Make sure that a new Google folder containing two subsections: Google Chrome and Google Chrome – Default Settings (users can override) appeared both in User and Computer sections of Policies -> Administrative Templates.
So, we have copied GPO templates for Google Chrome browser. As we mentioned before, the new GPO section contains two subsections: Google Chrome and Google Chrome – Default Settings (users can override). The difference between them is that the settings of the latter section of policies can be changed by users in the browser settings on their computers. The settings of the first section are fixed and even the local administrator won’t be able to change them in the browser.
These administrative templates contain about 260 of different manageable Google Chrome settings. You can explore them yourself and configure the browser settings that are needed in your environment.
It doesn’t make any sense to consider all of them, we’ll only demonstrate basic Chrome settings that are often to be configured in the AD domain environment.
Typical Chrome settings in GPO
Among the useful Chrome settings that you should configure first, you can pay attention to the following policies (note that the ${local_app_data} directory corresponds to the folder %username%\AppData\Local, and ${roaming_app_data} – to \%username%\AppData\Roaming.
- Set disk cache directory – path to the Chrome disk cache (as a rule it is “${local_app_data}\Google\Chrome\User Data”
- Set disk cache size – disk cache size (in bytes)
- Set Google Chrome Frame user data directory – Chrome directory with user settings “${local_app_data}\Google\Chrome\User Data”
- Managed Bookmarks
- Disable Chrome auto-update: Allow Installation: Disable, Update Policy Override: Enable and in the Policy field specify Updates Disable
- Add certain sites to trusted sites list – Policies HTTP Authentication -> Authentication server whitelist
Configuring Proxy Server and Home Page with Chrome GPO
Let’s configure a proxy server: we are interested in the following policy section Google Chrome -> Proxy Server
- proxy server address: ProxyServer – 192.168.123.123:3128
- an exception list for proxy: ProxyBypassList – http://www.woshub.local,192.168.*, *.corp.woshub.local
Locate a home page: Home page -> HomepageLocation – http://woshub.com/
Change the location of the download folder:
Set download directory: c:\temp\Downloads
It remains to link the policy to the desired container (OU) of Active Directory. Apply the group policy to a client by running the command
gpupdate /force |
Run the browser on the client and make sure that the GPO settings have been applied to its settings (in this screenshot, a user can’t change the values that were set by the administrator).
To display all settings, set by the group policies directly in the Chrome, go to the address Chrome://policy.
In the event that you prevented users from changing these Chrome settings, a message will appear in the browser window: This setting is enforced by your administrator.
Automatic installation of Chrome extensions through GPO
With the help of these administrative templates, you can install certain Extensions of Google Chrome for all domain users. To do this, you need to know the ID of the extension and the URL from which the extension is updated.
The Google Chrome Extension ID can be found in the extension parameters in chrome://extensions (developer mode must be enabled).
By ID, you need to find the extension folder in the user profile C:\Users\%Username%\AppData\Local\ Google\Chrome\User Data\Default\Extensions\{id_here}.
In the extension folder find and open the manifest.json file and copy the value of the update_url. Most likely, you will see the following URL: https://clients2.google.com/service/update2/crx.
Now, in the GPO editor console, go to the Computer Configuration -> Policies -> Administrative Templates -> Google -> Google Chrome -> Extensions. Enable the policy Configure the list of force-installed extensions.
Click the Show button and add a line for each extension that you want to install. Use the following format:
{extension_id_here};https://clients2.google.com/service/update2/crx
After applying to the user’s computers, all specified Chrome extensions will be installed in silent mode without interaction with the user.
23 comments
In the last example you Set download directory: c:\temp\Downloads.
In my experiment all users’ downloads went there.
I tried c:\temp\Downloads\%username% but now I had the same result with all users’ downloads showing up in c:\temp\Downloads\%username%.
So how do I set this policy to give each user his/her own dir under Downloads?
Also tried ${user_name}
These settings must be applied through User Configuration
Try c:\temp\downloads\%UserName%
or
c:\temp\downloads\%LogonUser%
Is it works only in the domain? I am tested on PC, which not in the domain and Chrome Group Policies I was created didn’t have any effect on Chrome browser 🙁
The policy should be applied to the standalone computer too.Are you add Chrome administrative template to gpedit.msc console?
Do you want block manager password ?
i want to disable executing .exe’s by browsing via chrome. e.g. users can enter the path in the address bar c:\windows\system32\cmd.exe. Upon entering this command – the cmd.exe gets copied into the %temp% folder and can execute. how can i stop this behaviour.
pls help
Hello Nasir,
If this behaviour can be stopped in Chrome I am unsure. However the cmd.exe can be restricted with following settings;
User Configuration – Policies – Administrative Templates – System
Policy: Don’t run specified Windows applications
Add cmd.exe
Apply this GPO to the users that need cmd restricted.
it’s not working ,
but when i chk Chrome://policy it’s shows me that there’s is policy but there’s is no effect .
Current user
Mandatory
Platform
HomepageLocation
http://www.facebook.com
OK
We have a RDP farm, and Adobe PDF is very heavy on our servers with +/- 80 people per server.
Do you know how we can make it so that you cannot choose in Chrome to Always open pdf with Adobe Acrobat? (if you do’nt choose this, the pdf opens in chrome which is perfect).
I know how to reset it when chosen (but I cannot script it).
Open Chrome about:plugins and make sure that Chrome PDF Viewer is enabled.
Next set chrome.exe as a default viewer for *.pdf files.
And simply delete Adobe Acrobat from RDP servers
Just like Osama, It doesn’t work for me too. When I check the Chrome://policy, it’s all there but somehow it doesn’t work.
homepage still google instead of what i’m setting to.
If you are using a domain policy, check that you don’t forget copy chrome.admx file and localization directories to the PolicyDefinitions folder on a DC
how do you add a bookmark via this group policy?
Thank you very much. We have deployed Citrix XenApp in a company and they have published google chrome. Our client requires that users have a predefined Proxy settings and this proxy settings can not be changed by users.
Your guidelines helped us.
I am trying to get the Google Chrome template to appear in GPMC. On the DC I have copied the admx files to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions and the adml files to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-us. I have rebooted the DC several times, but the Google Chrome template still does not show up under Computer Configuration\Policies\Administrative Templates. I can see the Google Chrome template in gpedit.msc though. Is there something else I need to do?
Thanks
After installation, I created a GPO for chrome. Now I can’t open any webpage. Keeping getting an error saying the site is blocked.Also, every time I open Chrome, the websites example.com and chromium.org pops up automatically. How can I fix this issues. Thanks.
Have you set up any policies for Chrome? Try to disable them all, turning it into the Disabled state
[…] Here’s an article that explains how to setup the GPO so I won’t cover that. […]
I’m on Server 2012 R2 and have no Policy Definitions folder at C:\Windows\SYSVOL\sysvol\domain.local\Policies to begin with but I do have 21 folders with random GUID names (I’m presuming these are other GPs?)
Neither Microsoft’s nor Google’s documentation specifies if creating a Policy Definitions folder in there next to those other folders will affect anything.
Is it safe to just create the folder there next to all those other ones or will it affect them?
I’m thinking of creating it and only putting the Chrome GPs in it?
Yes, these 21 folders with GUIDs are your domain GPOs.
Create a folder in this directory called Policy Definitions and copy the admx Chrome files into it.
After some time, check that the folder \\dc1\SYSVOL\domain.com\Policies\Policy Definitions has appeared on all your DCs.
I only want to block the Chrome password manager from saving login credentials for a few websites where there is risk but really don’t want to block where there isn’t sensitive data. For example, I really don’t care if they save their login for ihatemyjob.com but don’t want them caching logins to banking sites etc. Anyway to block some and not all?
With Chrome GPO, you can only enable or disable password storage for all sites. I’m talking about the policy “Enable saving password to the password manager”. In terms of user security, it’s worth to set it to Disabled.
For example, I never save my passwords in the browser (especially from banking sites), it is not safe.