In this article we’ll get acquainted with the Chrome Group Policy administrative templates (admx), provided by Google, that allow you to centrally manage browser settings in an Active Directory domain. Chrome`s ADMX GPO templates greatly simplifies the deployment and configuring of this browser in a corporate network. Also, we will show several typical tasks of managing Google Chrome settings using GPO and installing browser extensions.
Installing GPO ADMX Templates for Google Chrome
In order to manage Chrome settings through Group Policies, you must download and install a special set of administrative GPO templates (admx files):
-
- Download and extract an archive with ADM/ADMX templates of Group Policies for Google Chrome ( http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip — the file size is about 13 MB);
- There are 3 directories in the policy_templates:
- chromeos (administrative templates for Chromium);
- common (contains html files with a full description of all Chrome policy settings – see chrome_policy_list.html file);
- windows – contains Chrome policy templates in two formats: ADM and ADMX (admx is a newer administrative policy format, supported starting from Windows Vista / Windows Server 2008 and newer); There is a chrome.reg file in the same directory. It contains an example of Chrome registry settings that can be set via the GPO. You can use examples from this reg file to directly import Chrome settings using Group Policy Preferences).
- Copy the Chrome administrative template files to the
C:\Windows\PolicyDefinitionsdirectory (local administrative GPO templates are stored in this directory). In order for the Chrome Group Policy settings to be localized, you need to copy the corresponding ADML template files (folders en-US, de-De, etc…).Note. If you want to use Chrome policies in the Active Directory domain, you need to copy the ADMX and ADML files to a specific GPO directory (not the best option) or to the PolicyDefinitions folder in SYSVOL on the domain controller. - Suppose, we are going to use the ADMX format of the GPO template and domain Central Policy Store. Copy the chrome.admx file and localization directories to the \\woshub.loc\SYSVOL\woshub.loc\Policies\PolicyDefinitions\PolicyDefinitions;
- Open the domain Group Policy Management Console (gpmc.msc) and edit any existing GPO(or create a new one). Make sure that a new Google folder containing two subsections (Google Chrome and Google Chrome – Default Settings (users can override)) appeared both in User and Computer sections of Policies -> Administrative Templates;
These administrative templates contain about 300+ different Google Chrome settings that you can manage. You can explore them yourself and configure the browser settings that are needed in your environment.
After you have installed the administrative group policy templates for the Google Chrome browser, you can proceed to configure Chrome settings on users’ computers.
Configuring Typical Google Chrome Settings via GPO
Please note that Google Chrome settings are stored in two sections of Group Policy (both in Computer and User Configuration):
- Google Chrome – users (and even the local administrator) cannot change the Chrome settings on their computer specified in this GPO section ;
- Google Chrome – Default Settings (users can override) – recommended browser settings that users can change.
Let’s consider the basic Chrome settings that are often centrally configured in an enterprise environment:
- Set Goggle Chrome as Default Browser: Enabled;
- Set disk cache directory – path to the Chrome disk cache (as a rule it is “${local_app_data}\Google\Chrome\User Data”);
- Set disk cache size – disk cache size (in bytes);
- Set Google Chrome Frame user data directory – Chrome directory with user settings “${local_app_data}\Google\Chrome\User Data”;
- Managed Bookmarks;
- Disable Chrome auto-update: Allow Installation: Disable, Update Policy Override: Enable and in the Policy field specify Updates Disable;
- Add certain sites to trusted sites list – Policies HTTP Authentication -> Authentication server whitelist;
- Allow Kerberos authentication in Chrome for a specific sites. Add a list of server and site addresses to the policy settings HTTP Authentication -> Kerberos Delegation Server Whitelist and Authentication Server Whitelist;
- Send anonymous usage statistics and crash information: False;
- Use a temporary Chrome profile (data is deleted after the user session ends). Ephemeral profile -> Enabled;
- Block access to a list of URLs: add a list of websites to be blocked;
- Change the location of the download folder: Set download directory: c:\temp\downloads.
Note that the ${local_app_data} directory corresponds to the folder %username%\AppData\Local, and ${roaming_app_data} – to \%username%\AppData\Roaming.
Configuring Proxy Server and Home Page with Chrome GPO
Let’s configure a proxy server in Chrome. We are interested in the following policy section: Google Chrome -> Proxy Server.
- proxy server address: ProxyServer – 192.168.123.123:3128
- an exception list for proxy: ProxyBypassList – http://www.woshub.local,192.168.*, *.corp.woshub.local
Set a home page: Google Chrome -> Startup, Home page and New Tab page-> Configure the home page URL: http://woshub.com/
It remains to link the policy to the desired container (OU) of Active Directory. Apply the group policy on a client by running the command:
gpupdate /force
Launch Chrome on the client and make sure that the settings specified in the GPO are applied (in the example on the screenshot, the user cannot change the values assigned by the administrator – “This settings is enforced by your administrator”).
And on the settings page, “Your browser is managed by your organization” is displayed.
To display all Google Chrome settings that are set through the GPO, go to the Chrome://policy address (here the parameters specified through the registry or admx GPO template files are displayed).
Deploying Google Chrome Extensions Using Group Policy
You can use ADMX templates to install certain Google Chrome extensions for all domain users. For example, you want to automatically install the AdBlock extension on all computers. Open the chrome://extensions settings page and install the extension you need on your computer.
Now you need to get the extension ID and the URL from which the extension is updated. The Google Chrome Extension ID can be found in the extension properties (Developer mode must be enabled).
By ID, you need to find the extension folder in the user profile C:\Users\%Username%\AppData\Local\ Google\Chrome\User Data\Default\Extensions\{id_here}.
In the extension folder find and open the manifest.json file and copy the value of the update_url. Most likely, you will see the following URL: https://clients2.google.com/service/update2/crx.
Now, in the GPO editor console, go to the Computer Configuration -> Policies -> Administrative Templates -> Google -> Google Chrome -> Extensions. Enable the policy Configure the list of force-installed extensions.
Click the Show button and add a line for each extension that you want to install. Use the following format:
{extension_id_here};https://clients2.google.com/service/update2/crx
After applying to the user’s computers, all specified Chrome extensions will be installed in silent mode without interaction with the user.
33 comments
In the last example you Set download directory: c:\temp\Downloads.
In my experiment all users’ downloads went there.
I tried c:\temp\Downloads\%username% but now I had the same result with all users’ downloads showing up in c:\temp\Downloads\%username%.
So how do I set this policy to give each user his/her own dir under Downloads?
Also tried ${user_name}
These settings must be applied through User Configuration
Try c:\temp\downloads\%UserName%
or
c:\temp\downloads\%LogonUser%
Is it works only in the domain? I am tested on PC, which not in the domain and Chrome Group Policies I was created didn’t have any effect on Chrome browser 🙁
The policy should be applied to the standalone computer too.Are you add Chrome administrative template to gpedit.msc console?
Do you want block manager password ?
i want to disable executing .exe’s by browsing via chrome. e.g. users can enter the path in the address bar c:\windows\system32\cmd.exe. Upon entering this command – the cmd.exe gets copied into the %temp% folder and can execute. how can i stop this behaviour.
pls help
Hello Nasir,
If this behaviour can be stopped in Chrome I am unsure. However the cmd.exe can be restricted with following settings;
User Configuration – Policies – Administrative Templates – System
Policy: Don’t run specified Windows applications
Add cmd.exe
Apply this GPO to the users that need cmd restricted.
it’s not working ,
but when i chk Chrome://policy it’s shows me that there’s is policy but there’s is no effect .
Current user
Mandatory
Platform
HomepageLocation
http://www.facebook.com
OK
We have a RDP farm, and Adobe PDF is very heavy on our servers with +/- 80 people per server.
Do you know how we can make it so that you cannot choose in Chrome to Always open pdf with Adobe Acrobat? (if you do’nt choose this, the pdf opens in chrome which is perfect).
I know how to reset it when chosen (but I cannot script it).
Open Chrome about:plugins and make sure that Chrome PDF Viewer is enabled.
Next set chrome.exe as a default viewer for *.pdf files.
And simply delete Adobe Acrobat from RDP servers
Just like Osama, It doesn’t work for me too. When I check the Chrome://policy, it’s all there but somehow it doesn’t work.
homepage still google instead of what i’m setting to.
If you are using a domain policy, check that you don’t forget copy chrome.admx file and localization directories to the PolicyDefinitions folder on a DC
how do you add a bookmark via this group policy?
Thank you very much. We have deployed Citrix XenApp in a company and they have published google chrome. Our client requires that users have a predefined Proxy settings and this proxy settings can not be changed by users.
Your guidelines helped us.
I am trying to get the Google Chrome template to appear in GPMC. On the DC I have copied the admx files to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions and the adml files to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-us. I have rebooted the DC several times, but the Google Chrome template still does not show up under Computer Configuration\Policies\Administrative Templates. I can see the Google Chrome template in gpedit.msc though. Is there something else I need to do?
Thanks
change the admx filename to .adm
After installation, I created a GPO for chrome. Now I can’t open any webpage. Keeping getting an error saying the site is blocked.Also, every time I open Chrome, the websites example.com and chromium.org pops up automatically. How can I fix this issues. Thanks.
Have you set up any policies for Chrome? Try to disable them all, turning it into the Disabled state
[…] Here’s an article that explains how to setup the GPO so I won’t cover that. […]
I’m on Server 2012 R2 and have no Policy Definitions folder at C:\Windows\SYSVOL\sysvol\domain.local\Policies to begin with but I do have 21 folders with random GUID names (I’m presuming these are other GPs?)
Neither Microsoft’s nor Google’s documentation specifies if creating a Policy Definitions folder in there next to those other folders will affect anything.
Is it safe to just create the folder there next to all those other ones or will it affect them?
I’m thinking of creating it and only putting the Chrome GPs in it?
Yes, these 21 folders with GUIDs are your domain GPOs.
Create a folder in this directory called Policy Definitions and copy the admx Chrome files into it.
After some time, check that the folder \\dc1\SYSVOL\domain.com\Policies\Policy Definitions has appeared on all your DCs.
I only want to block the Chrome password manager from saving login credentials for a few websites where there is risk but really don’t want to block where there isn’t sensitive data. For example, I really don’t care if they save their login for ihatemyjob.com but don’t want them caching logins to banking sites etc. Anyway to block some and not all?
With Chrome GPO, you can only enable or disable password storage for all sites. I’m talking about the policy “Enable saving password to the password manager”. In terms of user security, it’s worth to set it to Disabled.
For example, I never save my passwords in the browser (especially from banking sites), it is not safe.
Is there a setting by which we can disable right click in Google Chrome?
The download link for the ADMX files appears to be dead 🙁
Hi, Peter the download link works fine I just download it
when I wanna add the chrome template is get a error: the follwing error occurred in “‘the path of the chrome.adm’ on line 1:
Error 51 unexpected keywordf
Foud: <?xml
Expecterd class, category, [strings]
The file cannot be loaded.
I which do i need to replace?
Don’t use adm template files – this is a legacy option. Just put chrome admx and adml files into C:\Windows\PolicyDefinitions.
Is there any way to prevent users from installing any plugin on chrome?
I have the ADMx and everything where it supposed to b. When I do an ajustment in GPO like bookmarks disable or disable F11 full screen I refresh chrome and check chrome://policy nothing has changed.
BE MINDED its on a local computer no domain no nothing.
Never mind started working after 10 minutes, while I was typing this post. Very odd
It looks like the Chrome settings were applied after the Пroup Зolicy update cycle on your computer.