Most system administrators deploy Group Policy Objects (GPO) as a way to control and limit user activity on Windows based PCs. This is a very useful management tool as it provides granular control into the operations on the workstations. As any system admin will tell you, GPO ends up being a valuable tool because of the ease and time saving features.
Google offers a Chrome MSI installer and a GPO template to help admins automate widespread installation and control of Chrome. A MSI installer is one that can be pushed down to Windows clients and run silently without the user's knowledge, or interaction. GPO templates define settings that affect how a Windows or a specific program, in this case Chrome, functions.
To get started, download the MSI and download the policy templates (Zip file). There are two different types of templates ADM and ADMX. ADM is for Windows Server 2003 domains and ADMX is for Windows Server 2008 domains. For this article, we will be creating a GPO in a Server 2003 domain. This GPO will require the MSI installer to be located in a network share. To do so, create a folder called MSI, assign share permissions for the Domain Computers group of 'Read' and assign security permissions of 'Read/Execute' for the Domain Computers group. Place the MSI within this folder.
GPOs can be applied to machines or to users. For Chrome, it is best to create the GPO for the machines rather than the users. This way Chrome is available to any user that logs onto any machine.
On your domain controller, open Group Policy Management and right-click on the OU that contains the PCs in your domain, typically "Domain Computers". Select "Create and Link a GPO Here" and enter a name for the GPO, such as "Chrome Installer". The new GPO will appear in the list.Double-click the GPO to edit the settings. Under the 'Security Filtering', we want to add the machines this GPO will apply to. The most efficient way is to use a group, rather than individual machines. By default Active Directory places all domain computers (except domain controllers) into the Domain Computers group. Click 'Add' and then type in "domain computers" and click 'OK'. Remove anything else that is listed there, such as user accounts or groups. (Figure A)
Figure Bvariety of policies, everything from controlling the startup page, to more advanced policies (Figure C). Notable policies are:
- Set Chrome as Default Browser
- Specify a list of plugins that a user can enable or disable
- Import bookmarks from default browser on first run
- Block access to a list of URLs
- Allow access to a list of URLs
- Set user data directory
- Configure the home page URL
- Enable the password manager (which should always be disabled)
- Action on Startup
Finally, reboot the machines in order to apply the GPO, which will install Chrome and the templates.
Tim Lange is an IT professional who, among other things, manages Google Apps for his company.