Manage Chrome through Windows Server GPO
March 10, 2022I’ve been remiss with keeping up with my technical articles. I’ve devoted a lot of time to studying for the RHCSA, and last week, I passed on the first try. Feels amazing to achieve that goal; and no better way to celebrate a Linux achievement, than to write an article about Windows Server :-).
Web browsers are probably the most used application on almost any end-user PC. Staff rarely have competency on how the internet works, how to stay safe on the internet (computer-health) and even website addresses that they commonly use. We can help staff with their jobs and keep the computer and organization safer with ADMX templates.
In this specific article I’m going to go over how to do this with Google Chrome. You can do the exact same thing with Microsoft Edge as well–probably Firefox too, but I haven’t had to set that one up. First step is to download the appropriate files, then select the server you want to add these files too. This would be a good time to do a backup or create a restore-point for the sever.
Head to https://support.google.com/chrome/a/answer/7650032?hl=en&ref_topic=7649835 and select 64 bit or 32 bit download.
This will download a zip file. Go ahead and move that file to the selected server and extract the contents. You’ll notice there are three folders and a VERSION file. We are going to look at the Configuration folder. Go to Configuration then admx. All of the folders in here are different languages. At the bottom are two files that need to be copied (this will be done in a different section than the language folders) chrome.admx and google.admx. After identifying those, choose your preferred language–guessing its English if you’re reading this.
Open up a new file explorer and go to the domains SYSVOL area. It should be \\domain_name.local\SYSVOL
Keep drilling down until you get to the Policy Definitions area. It will look like \\domain_name.local\SYSVOL\domain_name.local\Policies\Policy Definitions
Mine looks like this:
In the Policy Definitions area is where we will copy our admx files: chrome.admx and google.admx. Now go back to the language folder we identified in the other step and copy the chrome.adml and google.adml files into the \\…Policy Definitions\en-US (or the language you have here).
Now when editing a GPO, you should see the Google option under Computer and User Configuration
Now, this is all well and good, but it won’t have much of an effect unless we configure some settings and link it to something. I tend to write my GPO’s by Computer Configuration, unless User Configuration is necessary–like mapped Home Drives for users. Once you drill down a bit, you’ll see there are a lot of settings in here.
Some of these are pretty straight forward: Allow audio capture, Allow incognito mode, Allow deleting of user history, etc. These are the ones you can toggle on or off. Some get a little more tricky with certificates, proxies, HSTS checks, etc. One in particular that gave me some trouble was pushing out book marks to end-users. I thought this would be a nice touch for company wide used websites.
If you scroll down a little past half way, you should see an option called “Managed Bookmarks.” Select that option.
Under this setting select enable and you should see the the “Managed Bookmarks” field open up. Now the GPO does a good job of explaining the syntax, but it still took me a second to Create a bookmarks folder, then add a list of websites under that. To save you some time (if you’re doing this of course), here’s the syntax to add into that area.
[{“toplevel_name”: “FolderName”},{“url”: “https://www.office.com”,”name”: “Office Suite”},{“url”:”https://helpdesk.com”,”name”:”HelpDesk”},{“url”: “https://payroll.com”,”name”: “Payroll Site”},{“url”: “https://tacos.com”,”name”: “The agreed upon taco truck we all go to”}]
That’ll do it. Also Pro Tip, if you’re troubleshooting some of the GPO settings or just want to make sure they’re hitting the computers, open up chrome and type into the url bar:
chrome://policy
This will show you what’s being picked up by the server. Hope that helps and good luck out there.