Issue 259236 in chromium: Group Policies are ignored in enterprise version 28.0.1500.71

[chro...@googlecode.com]

Status: Unconfirmed
Owner: ----
Labels: Type-Bug Pri-2 Cr-Enterprise

New issue 259236 by ulrike.h...@gmail.com: Group Policies are ignored in
enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Version of Google Chrome (Wrench-> About Google Chrome): 28.0.1500.71
Version of MSI (if applicable): {93736860-390D-43E1-9566-5CA60ABE5BED}
Using group policy settings? Yes

Group policies did work in all former versions of chrome enterprise, I did
not change anything. But in the new version 28 they are ignored. I do a new
installation on a clean machine, no old chrome profile on it. PC is Windows
7 x64, no domain join.

I checked the new policy template for version 28, but no policy I use has
changed or does not exist any more.

Registry entries exist under HKLM/Software/Policies/Google/Chrome

about:policy tells me, that no policies are set, if I try to load policies
with the button in about:policy, nothing happens; the browser tells me that
no policy is set.

I searched the forum but I did not find any answer.

Is there a bug in chrome which prevents chrome form reading group policies?

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[chro...@googlecode.com]

Comment #1 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Have you configured your policy settings via GPO tools (gpedit/gpmc), or
did you edit registry entries directly?

Chrome 28 has a change that queries Windows for GPO directly instead of
going through the registry, hence registry settings that get created out of
band will be ignored.

[chro...@googlecode.com]

Comment #2 on issue 259236 by ulrike.h...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Thank you for the information.
I do not use GPO Tools. I made a mst-file which is used during installation
to set registry keys.

[chro...@googlecode.com]

Updates:
Status: WontFix

Comment #3 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Ah, that explains it. I'm sorry, but the MST way is no longer supported (in
fact, we never intended it to be supported).

[chro...@googlecode.com]

Comment #4 on issue 259236 by ulrike.h...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Ok, then I have to find a workaround for myself. There is no AD in our
organization so central GPOs via AD are not possible. Thanks a lot for the
fast answer.

[chro...@googlecode.com]

Comment #5 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Note that gpedit.msc allows you to write local group policy, you can play
with it and configure user/machine group policy. If you need tools for
deploying local GPO to machines, this may come in helpful:
http://technet.microsoft.com/en-us/library/ee461027.aspx

[chro...@googlecode.com]

Comment #6 on issue 259236 by joaod...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Issue 259470 has been merged into this issue.

[chro...@googlecode.com]

Comment #8 on issue 259236 by tyler.sc...@covenanteyes.com: Group Policies

are ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

I've followed the directions on the technet link above, and it doesn't seem
to work on most Windows installations (RSAT is not common): therefore, we
are no longer able to enforce this group policy on a per-machine basis. Is
there anything else I can try to make this work?

[chro...@googlecode.com]

Comment #9 on issue 259236 by joaod...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Thanks for the heads up,
http://www.chromium.org/administrators/policy-list-3 has been updated.

These articles may help:

http://support.microsoft.com/kb/307882
http://technet.microsoft.com/en-us/library/cc725970.aspx
http://social.technet.microsoft.com/Forums/windowsserver/en-US/047570cf-be7b-4fc5-a9a3-20e53dc87101/google-chrome-group-policy-setttings

[chro...@googlecode.com]

Comment #10 on issue 259236 by ulrike.h...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

I tried to use the adm template of chrome on a machine without domain join,
and it did not work. Chrome does not read the settings made via gpedit on
the local machine.
As far as I know and understand from the links posted above you need an AD
Central Store to deploy GPOs on clients. But we do not have an Active
Directory.
I tried to find any other solution to customize the enterprise or
non-enterprise Chrome Installer regarding the chrome user profile but I was
not successful.
I work at an university with thousands of users. So Google Chrome will not
be used any more if customization without Active Directory is not possible
any more.

[chro...@googlecode.com]

Comment #11 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

The gpedit approach should work. In fact, Microsoft documents that local
group policy works without Active Directory:
http://technet.microsoft.com/en-us/library/cc775702(v=ws.10).aspx

I've just verified that it works with Chrome 28.0.1500.71 on a machine
that's not on an Active Directory domain. Here's what I did:

1. Make sure I have Chrome 28 installed.
2. Download policy templates from
http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
3. Fire up gpedit.msc and do "Computer Configurati0n" ->
right-click "Administrative Templates" -> "Add/Remove templates" ->
click "Add..." -> select "windows/adm/en-US/chrome.adm" from the
policy_templates.zip download
4. In "Computer Configuration" -> "Administrative Templates" -> "Classic
Administrative Templates" -> "Google" -> "Google Chrome" configure some
policy settings
5. Fire up Chrome and policy works, chrome://policy lists the settings I
made.

To troubleshoot your issue, can you:

* Run chrome with logging enabled per the instructions at
http://www.chromium.org/for-testers/enable-logging and share the log file
contents?
* Check about:histograms and share the Enterprise.PolicyLoadStatus block?

[chro...@googlecode.com]

Comment #12 on issue 259236 by tlsch...@mtu.edu: Group Policies are ignored

in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Even if it works, a manual process is not very helpful when distributing
across thousands of machines: does anyone know a way to automate this on
normal Windows machines using a batch script, without special tools
installed?

[chro...@googlecode.com]

Comment #14 on issue 259236 by derick.n...@fazolis.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Does anyone have any publicly available advice for this issue? Using
regedit was easiest way for our non-AD deployment. Most of these machines
are XP so the recommended articles aren't useful (no ADMX options here)

I would like to use the Chrome Management policies via the Google Control
Panel but those aren't being applied consistently at the org levels.
This version seems to "sign out" users once they've signed in to chrome
immediately after a successful login on Orgs with a Chrome Policy
configured.
Non Chrome Policy orgs are able to stay signed in though there's nothing
configured in Chrome Management Settings.

[chro...@googlecode.com]

Updates:
Cc: dconne...@chromium.org

Comment #15 on issue 259236 by bar...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

When you sign into an account that receives enterprise policy, Chrome
should show you a dialog that explains what is happening (policy is about
to be applied) and gives you the choice to proceed or to abort. Maybe your
users chose to abort, thus signing out again?

Adding Daniel who implemented this dialog and knows precisely how it owrks.

[chro...@googlecode.com]

Comment #16 on issue 259236 by derick.n...@fazolis.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

I tried myself and I get the option to accept settings - I don't recall
seeing anything specific to policy settings being applied - but I'm
certainly not denying any dialogues. The odd thing is the fact that it is
signing me out / stopping sync during this process.

I've opened a case with Google Enterprise support to see if there is
something I could be possibly doing wrong in the policy itself.
We have some chrome books in production and those are mostly receiving
policies -- they are experiencing the same sign out thing too however

[chro...@googlecode.com]

Comment #17 on issue 259236 by bugdro...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71

http://code.google.com/p/chromium/issues/detail?id=259236#c17

------------------------------------------------------------------------
r211645 | joaod...@chromium.org | 2013-07-15T15:33:06.855655Z

Changed paths:
M
http://src.chromium.org/viewvc/chrome/trunk/src/chrome/app/policy/policy_templates.json?r1=211645&r2=211644&pathrev=211645

Updated the generated policy documentation.

This update removes references to the Windows registry, and adds a note that
since Chrome 28 the registry isn't used anymore.

BUG=259236

Review URL: https://chromiumcodereview.appspot.com/19181002
------------------------------------------------------------------------

[chro...@googlecode.com]

Comment #18 on issue 259236 by ulrike.h...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

I found a simple way to use preferences without using an Active Directory
or policy templates. There is a file named master_preferences in chromes`
program files folder, which can be edited (see
http://www.chromium.org/administrators/configuring-other-preferences). But
note: all preferences set here are editable by the user. But for me, it
works perfectly.

[chro...@googlecode.com]

Comment #19 on issue 259236 by pasta...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

@Ulrike: master_preferences are not the same as policies though as they
read are applied only once at first run and even if you change them they
won't get reapplied, whereas polices are read on each startup and applied
with their current values.

[chro...@googlecode.com]

Comment #20 on issue 259236 by derick.n...@fazolis.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Thanks for the tips. That looks somewhat promising -- the problem here is
that we already have Chrome installed at our remote locations so we'd have
to delete the profiles/preferences before we could take advantage of the
master_preferences option.

We feel that if we are going to have to provide that much intervention for
our field machines we'd rather get the Chrome Sync option working properly
since it's centrally managed AND officially supported by Google. The
alternatives for GPO for non-domain machines are also very ugly for XP.
They will be the last resort

As far as Sync goes - What we are seeing currently is that in a number of
locations (they are different machines using different accounts) the Sync
isn't taking over the settings. It's like they are syncing on a personal
account -- bookmarks, omnibox, etc are being sent to and from the browser
to the Dashboard but our Corporate settings aren't being applied.
In a few instances I've tried manually adding our extensions we Force
Install and we're getting errors that say "could not move extension
directory into profile."

If I delete the three Extensions related folders within the profile, I can
then load them, but only manually. The Sync settings aren't being applied.

Deleting the whole profile and configuring Sync again results in the same
problem. I have even deleted the profiles, uninstalled Chrome, rebooted,
installed Chrome, rebooted again and then synced with the same problem.
The issues seems to be local as we can load that Sync profile on a clean
machine and get the desired results. I also have a case open with Google
Support and they asked for the information under Chrome:policy and it's
completely blank, as if there is no policy being applied.
It's all a mystery here.

No amount of uninstall, deleting profiles, user data folders, or creating
additional profiles seems to fix the problem at the affected sites.
What I think we need now is a method to "clean" Chrome completely from the
machine, if something like that exists.

[chro...@googlecode.com]

Comment #21 on issue 259236 by SamCon...@agbarr.co.uk: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

We have users who use GMail using Chrome as the browser, is their anyway to
pass through the GMail email address to the Chrome Sign-In to automatically
register the user against the Admin Console and apply the relevant Policy
from the Google Admin Console ?

[chro...@googlecode.com]

Comment #22 on issue 259236 by bar...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Re #21: Do you mean actual GMail e-mail addresses (@gmail.com) or Google
accounts at your own domain (e.g. @agbarr.co.uk)?

Users with @gmail.com addresses cannot be managed through the Admin Console
because you are not the administrator of gmail.com. But if your users have
addresses that belong to your own domain and you have the Admin Console
enabled for that domain, yes, you configure policies through the Admin
Console and the policies kick in when a user signs into Chrome with their
e-mail address.

[chro...@googlecode.com]

Comment #23 on issue 259236 by SamCon...@agbarr.co.uk: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Yes, via the @agbarr.co.uk domain.

But we are trying to automate the Chrome Sign-In process, rather than
getting our users to manually Sign-In, I thought that as Google already had
the authentication details (via the GMail authentication) we might be able
to use these to pass to Chrome ? Any ideas ?

[chro...@googlecode.com]

Comment #24 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Re #23: In the current state of things, logging into GMail and logging into
Chrome are two different things.

[chro...@googlecode.com]

Comment #25 on issue 259236 by hans.hw....@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Same issue here. We deploy our GPO's in our 'old' environment via Group
Policy Management which seems to work fine.
In our new environment policies are created through AppSense Environment
Manager. This tool processes adm-templates and creates the corresponding
entries in the registry without using Group Policy Management and this is
not working. Keys are created in the registry
(HKCU/software/policies/google/chrome) but aren't read anymore in chrome 28.
Typing Chrome://policy in the omnibox results in no policies...
This is a major issue for us. For the moment we cannot deploy a 28+ version
of Chrome.

[chro...@googlecode.com]

Comment #26 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Some management products have ways to actually create proper Group Policy
Objects instead of screwing with the registry. I don't know AppSense
Environment Manager, and from a quick search on the net, it's unclear
whether that product supports such a mode of operation. Does somebody have
some good docs on it?

Note that it's highly unlikely that Chrome goes back to unconditional
registry reads in the future (we've seen too much abuse). So unless
AppSense supports proper GPO, Chrome will be incompatible moving forward.

[chro...@googlecode.com]

Comment #27 on issue 259236 by manageme...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

The change generated in version 28 has many drawbacks as non-business
environments conditions group policies are not widely used, according to
this, how can Google help us restore this option?, There are several
applications that work with these options released in previous versions,
this change generates much impact and should be reconsidered.

[chro...@googlecode.com]

Comment #28 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Re comment #27: Can you please describe your use case in more detail?

We've found unconditional registry reads to cause more pain than benefit,
so that's not coming back any time soon, but maybe we can help you find a
different solution that works for you.

[chro...@googlecode.com]

Comment #29 on issue 259236 by hans.hw....@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Normally in a controlled environment with limited rights for an enduser
this should work fine.
During logon GPO's are processed and as Chrome policies are set through the
adm-templates we work with true policies. These are policies written in the
protected branch of the registry: HKCU\software\policies
A normal user has only read-access to this registry hive so I really don't
see the risk reading registry information directly from the registry when
it concerns a protected registry branch.

[chro...@googlecode.com]

Comment #30 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Background: The issue here is malware. Unsuspecting users get it onto their
machines by software installers, and these typically run with admin
privileges. We have evidence that Chrome GPO registry key abuse is very
wide-spread.

While this may not apply to controlled environments, Chrome obviously needs
to take non-controlled-environment into account as well. Hence, the
assumption that users don't have the privilege to write the registry isn't
true in general and doesn't help us here. Essentially, we're using the "GPO
is present" as a proxy for "are we in a managed environment". If people
have more and/or better ideas for indicators to that affect, please let us
know and we'll consider them.

[chro...@googlecode.com]

Comment #31 on issue 259236 by mnis...@chromium.org: Group Policies are

[chro...@googlecode.com]

Comment #33 on issue 259236 by hans.hw....@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

When I enable logging on a working system (XP SP3 in a windows domain with
chrome 28 and group policy enabled) I see this:
[2248:3644:0730/091100:VERBOSE1:policy_loader_win.cc(524)] Failed to read
GPO files for 1 falling back to registry.
[2248:3644:0730/091100:VERBOSE1:policy_loader_win.cc(524)] Failed to read
GPO files for 0 falling back to registry.
although policies are read fine in chrome (by verifying chrome://policy).
In out other environment where polices are set via a third-party tool I see
this in the logging:
[10884:11300:0730/092134:VERBOSE1:policy_loader_win.cc(524)] Failed to read
GPO files for 1 falling back to registry.
So essentially this error message is the same but in the latter case
polices are not well applied.
Can anybody tell me what this means?

[chro...@googlecode.com]

Comment #34 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Re comment #33: Chrome falls back to reading the registry if it can't pull
from GPO files directly. In your first log snippet, Chrome does this both
for current machine and current user (HKLM and HKCU in the registry,
respectively), whereas in your second snippet Chrome did only fall back for
local machine, which indicates that GPO was read properly for current user.

Note that while this may work now, relying on the fallback-to-registry
behavior is not something we'll be supporting, so this may change and/or
break in the future. The recommended solution remains using GPO proper or
using a 3rd-party tool that can inject its settings to proper local GPO.

[chro...@googlecode.com]

Comment #35 on issue 259236 by hans.hw....@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

This is interesting. Did first some further testing with chrome 28 on my XP
SP3 workstation with domain based policy for Chrome.
Before starting chrome in debug mode I deleted the
HKCU\software\policies\google branch. Normally Chrome 28 communicates
directly with active directory to obtain the policy settings.
But that doesn't work. So pulling the GPO directly from active directory
doesn't seem to work as expected.
Logfile for this case:
[2624:648:0730/104328:VERBOSE1:policy_loader_win.cc(524)] Failed to read

GPO files for 1 falling back to registry.

[2624:648:0730/104328:VERBOSE1:policy_loader_win.cc(524)] Failed to read

GPO files for 0 falling back to registry.

First line is normal as we don't have machine based settings for the Chrome
GPO.
Second line is not normal as the domain based GPO exists and up to the
previous version we had in PRD (26) this worked fine. Apparently chrome
cannot find the policy on the domain controller.
As the policy branch was deleted manually by myself the fallback to
registry is working neither (which is normal). If the policy branch exists
the registry fallback works fine in this situation.

Second test: Chrome running in Citrix with Appsense Environment manager as
tool for populating GPO's directly to the registry.
Logfile:

[10884:11300:0730/092134:VERBOSE1:policy_loader_win.cc(524)] Failed to read
GPO files for 1 falling back to registry.

No GPO exist for machine and user settings. So I don't understand why I
don't receive an error for the user part of the policy. Should be something
like this: policy_loader_win.cc(524)] Failed to read GPO files for 0
falling back to registry.
So nothing is read and there is no fallback to the local registry although
the settings exist in HKCU/software/policies

So it seems to me that only local policies are processed by Chrome 28 and
not domain policies.
How can we troubleshoot this further?

[chro...@googlecode.com]

Comment #36 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Regarding your first experiment: The logic for falling back to the registry
is not as simple as you presume. In fact, we fall back on various read
errors, but also for the case when the GPO object indicates the GPO file is
on a network drive, i.e. the domain controller. You might be on a laptop
without connectivity, so we rather get the policy settings from the
registry in that case. So what you're seeing is according to expectations.

Regarding the second experiment: The Win API call that chrome makes
(GetAppliedGPOList()) doesn't give a perfect indication whether we have
Chrome policy, but only whether there's some GPO object that's going to be
dumped into the registry. If Windows tells us there is one or more we're
trying to grab them (and fall back if it's on a network drive); this seems
to be the case for HKLM where you probably have some other registry-based
group policy configured. If Windows tells us there are no GPO objects to be
dumped in the registry, we know that no Chrome policy can be present, so we
don't read any policy for that case.

Does that answer your questions?

[chro...@googlecode.com]

Comment #37 on issue 259236 by hans.hw....@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Ok. Generally this means that only local policies are processed through the
Win API and that for domain policies (always on a network drive) fallback
to local registry will be used. Is that correct and, if yes, will this
continue working this way in future Chrome versions as well?
For the second case where user policies are set via the third party tool
Chrome sees (via the API) that no user policies are present (local or
domain) and thus no fallback will take place.
Indeed, in that setup we use GPO for machine settings and all user settings
are processed via the third party tool.
So the only thing we can do is to transform this "GPO", processed by the
third party tool, to a local policy. Is that correct.

Can creating an 'empty' user domain Chrome GPO do the trick as well? Chrome
will see there are some user policies but no processing will be done
because it's a domain (network) policy ==> registry will be processed.

[chro...@googlecode.com]

Comment #38 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Q: Ok. Generally this means that only local policies are processed through

the Win API and that for domain policies (always on a network drive)
fallback to local registry will be used. Is that correct and, if yes, will
this continue working this way in future Chrome versions as well?

A: Correct, but we can't make any guarantees that Chrome behavior stays
this way in future releases. If you want to be on the safe side, you should
figure out a way to install GPO.

Q: For the second case where user policies are set via the third party tool

Chrome sees (via the API) that no user policies are present (local or
domain) and thus no fallback will take place.

A: Correct.

Q: Indeed, in that setup we use GPO for machine settings and all user

settings are processed via the third party tool.
So the only thing we can do is to transform this "GPO", processed by the
third party tool, to a local policy. Is that correct.

That's the recommended solution, yes.

Q: Can creating an 'empty' user domain Chrome GPO do the trick as well?

Chrome will see there are some user policies but no processing will be done
because it's a domain (network) policy ==> registry will be processed.

A: Yes, this is what Chrome 28 does. However, as explained above you're on
your own when relying on this as we can't make any promises that the
fallback behavior will stay the same moving forward.

[chro...@googlecode.com]

Comment #41 on issue 259236 by hans.hw....@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

I understand security is very important for a browser but by eliminating
the use of Domain Group Policies it is much harder to manage the Chrome
browser in an enterprise environment in my opinion.
All Microsoft applications are configurable by GPO, including the Internet
Explorer browser, so as I understand this all well this browser suffers as
well from GPO abuse and Microsoft is just doing nothing about it.

Now (in the future), when we need to change a forced setting for the Chrome
browser we need to open the local policy, make the necessary change and
than copy the new registry.pol to all servers. Not that easy because all
our GPO's are now in one console in Active Directory.
Can't there be a check that if the workstation is domain joined (thus in
a 'controlled' environment) the GPO processing takes place? This approach
seems to be risk free I think.

[chro...@googlecode.com]

Comment #42 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Re comment #41: Note that we're not eliminating GPO support. GPO is still
honored by Chrome if you configure GPO properly (i.e. via AD or as local
GPO).

Relaxing the restriction on the registry check for AD domains is something
we can consider. However, I'd like to clarify your use case first: Do I
understand correctly that you're running an Active Directory setup, but
don't push group policy via it? Instead you're configuring local group
policy? AD-configured GPO continues to be supported by Chrome, so I wonder
why you're not just using it.

[chro...@googlecode.com]

Comment #43 on issue 259236 by hans.hw....@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

This is our current situation:
==>environment managed by Active Directory
Here we don’t have issues currently. Chrome checks if GPO is present. Is ok
but as the GPO is on a network share GPO is not processed and fails back to
registry which is ok because registry keys are set through GPO.
One reminder here: if a future version of chrome doesn’t support the
fallback to registry anymore we have a problem. Only workaround is than to
work with local GPO.

==>environment managed by AppSense Environment Manager
Here the adm-templates for chrome are processed by the third party tool
(Appsense) and registry keys are set by this tool in policy branch
(HKCU\software\policies) avoiding the use of Active Directory GPO’s. Prior
to Chrome version 28 this worked fine because Chrome always reads the
settings located in the policy branch of the registry. Now with version 28
no Chrome GPO is found when the browser starts so no fallback to the
registry is possible which results in an ‘open’, not managed Chrome browser.
For the time that Chrome still supports the fallback mechanism I could try
to apply an ‘empty’ GPO for Chrome settings to force that fallback to
registry takes place. But I need to test this first.
In my opinion the standard behavior, managing an application with Domain
based GPO, should remain working, as this setup is widely used in
enterprises.

[chro...@googlecode.com]

Comment #44 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Re comment #43:

Active Directory environment: AD+GPO is supported and will continue to be
so. We're not intending to break setups with non-local GPO files at all.

non-GPO setup: The workaround you're proposing (i.e. installing empty GPO)
will yield the desired result with Chrome 28 (i.e. triggering the registry
fallback). However, we can't promise anything in terms of this workaround
remaining functional moving forward.

[chro...@googlecode.com]

Comment #45 on issue 259236 by chris.sh...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

We also have an issue since Chrome 28 with policies,

We use a 3rd party tool to apply our Policy settings (RES Workspace
Manager) as we found Group Policy to be unreliable and still have some XP
Desktops (which have known problems applying group policy when waking from
sleep / hibernation)

We also have requirements to deploy settings based on more than just user
and group membership, some of this we could replicate with WMI, but WIM
queries with GPO are expensive and would not give us the login performance
we expect, nor cover all situations.

We now have very unreliable policies being applied to Chrome - but 29 has
brought changes we were waiting for (URL Blocklist including chrome:// and
file:// as well as a bug fix for creating desktop icons when they should
have been disabled)

Another way of checking the environment is secure would help us
tremendously as assuming that every organisation with Active Directory is
applying user Group Policies is just not correct.

Check if a Computer Group Policy is applied would probably hit a higher
percentage of organisations, otherwise checking for domain membership would
be certain for any computers who are domain joined.

[chro...@googlecode.com]

Comment #46 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

So, to understand your situation better: You're running with all clients
joined to an AD domain, but don't use GPO because it's not flexible enough
for you?

[chro...@googlecode.com]

Comment #47 on issue 259236 by mnis...@chromium.org: Group Policies are

[chro...@googlecode.com]

Comment #48 on issue 259236 by chris.sh...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Yes, we run the 3rd party tool to provide the flexibility and reliability
we require

[chro...@googlecode.com]

Comment #49 on issue 259236 by hans.hw....@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Just set up a GPO containing the adm-template for Google Chrome and further
no settings applied. The GPO is linked to an ou where the Citrixserver on
which I'm testing is located. To obtain that user settings are applied I
have enabled 'loopback processing' in 'merge mode'. With Resultant Set Of
Policies I verfied if the GPO was enabled and processed which was the case.
Unfortunately, the fallback to the registry is still not working although
there is an empty GPO present.
The log shows this:
policy_loader_win.cc(524)] Failed to read GPO files for 1 falling back to
registry
Should it be necessary that this GPO isn't empty? So that I need at least
one active setting in this GPO?
I will test this anyway but maybe a Chrome developer can already have a
short look.

[chro...@googlecode.com]

Comment #50 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

The login line you mention indicates that Chrome is falling back to read
policy from the registry for the HKLM hive. Can you double-check that you
have Chrome policy settings present in
HKLM\Software\Policies\Google\Chrome ?

[chro...@googlecode.com]

Comment #51 on issue 259236 by hans.hw....@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

I have created an empty GPO with loopback processing enabled and linked
this GPO to an ou which contains a Google Chrome enabled workstation. Not
working. No fallback to registry.

But when I enter a setting in this GPO Chrome sees this domain GPO and
fallback to registry occurs. For me this is a solution (well, a
workaround :-)).
I configure a GPO with one unimportant setting. For the other settings we
will use our third-party tools and as fallback to registry occurs policy
values will be read and locked-down Chrome can be used in our company.

[chro...@googlecode.com]

Comment #52 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Note that the fallback will only occur if you configure a registry GPO,
i.e. one that is processed by the registry settings CSE (as described here:
http://support.microsoft.com/kb/216357). Loopback processing likely isn't,
I haven't checked though.

[chro...@googlecode.com]

Comment #53 on issue 259236 by kenneth...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

So if I'm running a Home Windows system without gpedit.msc, I no longer
have any way to change my chrome policies?

All I want to do is turn off private browsing. I can't be the only one.

[chro...@googlecode.com]

Comment #54 on issue 259236 by bar...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

If you are the only user on a single machine, you can use the settings page
to tweak Chrome to your liking. Policy is a mechanism to deliver and
enforce settings in an enterprise context not needed in a single-user setup.

[chro...@googlecode.com]

Comment #55 on issue 259236 by joaod...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

#53: why do you want to turn off private browsing? There may be better ways
to achieve what you're trying to do.

[chro...@googlecode.com]

Comment #56 on issue 259236 by chris.sh...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Hi,

I was wondering if there is any update on if Google is considering adding
options back in for those of us who use policies outside of Group Policy?

Thanks,

[chro...@googlecode.com]

Comment #57 on issue 259236 by johannaj...@msn.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Have the same setup and question as #53 - want to disable the incognito
mode option. Found that I could do it using the IncognitoModeAvailablity
policy in the registry but it does not work since the registry is not being
read. Is there an alternative solution to that?

[chro...@googlecode.com]

Comment #58 on issue 259236 by smcon...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

I'm in the same situation as #53,#56, and #57. I'm using Windows Home
Premium, which does not have a group policy editor (gpedit.msc). I'd like
to disable incognito mode and set some other policies to lock down my
browser. How do I do it now that Chrome ignores registry settings?

[chro...@googlecode.com]

Comment #59 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Comments #53, #57, #58: The only supported way to lock down Chrome is via
GPO, sorry. What's your rationale for running a locked-down browser in an
environment where GPO is unavailable?

[chro...@googlecode.com]

Comment #61 on issue 259236 by bar...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Re #60: Enterprise policies are geared toward corporate uses of Chrome. It
sounds like your use case may be best served by Chrome's new beta
supervised users:

https://support.google.com/chrome/answer/3463947?p=ui_supervised_users&rd=1

[chro...@googlecode.com]

Updates:
Cc: p...@chromium.org

Comment #66 on issue 259236 by joaod...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

+Pam from the supervised-users team.

Pam, can you answer #62?

"I tried creating a supervised account, but it doesn't prevent incognito
mode. It doesn't prevent the supervised user from going into settings,
disconnecting the account, and browsing freely."

How does supervised mode handle these?

[chro...@googlecode.com]

Comment #67 on issue 259236 by pete.m.b...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

I employ a Samba 3 PDC and use WPKG to deploy software to Windows XP Pro
workstations. I'm used to configuring Windows and software apps using
Windows' reg command to edit the registry. I know nothing about GPO. Now
that I can't use the registry to set DiskCacheDir and DiskCacheSize, how do
you suggest deploying this configuration setting please?

I'm finding that setting the profile location with Chrome 30 still works
using the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\UserDataDir=REG_SZ:"${roaming_app_data}\Chrome"
Is this not guaranteed to continue to work?

[chro...@googlecode.com]

Comment #68 on issue 259236 by pasta...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

You can use the command line flags --disk-cache-dir and --disk-cache-size
instead and simply add them to the shortcut used to start Chrome. The
UserDataDir key still works but you can consider this an implementation
detail that might not work in the future too.

In general I can suggest that you read a bit about Group Policy Objects and
the GPEdit.msc snap-in which allows you to edit it even locally which is
the only supported way to set policies in Chrome now.

[chro...@googlecode.com]

Comment #70 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Re comment #69: The diagnostics you're quoting are most certainly red
herrings and have nothing to do with Chrome not starting. I suggest you
open a separate bug for your issue.

[chro...@googlecode.com]

Comment #72 on issue 259236 by pasta...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Issue 329130 has been merged into this issue.

[chro...@googlecode.com]

Comment #73 on issue 259236 by mnis...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Re comment #71: If you're building yourself, why don't you just switch
unconditional GPO registry reads on again? Code is in policy_loader_win.cc.

[chro...@googlecode.com]

Comment #74 on issue 259236 by bugdro...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71

http://code.google.com/p/chromium/issues/detail?id=259236#c74

------------------------------------------------------------------------
r253358 | pasta...@chromium.org | 2014-02-26T05:14:25.026877Z

Changed paths:
M
http://src.chromium.org/viewvc/chrome/trunk/src/components/policy/core/common/policy_loader_win_unittest.cc?r1=253358&r2=253357&pathrev=253358
M
http://src.chromium.org/viewvc/chrome/trunk/src/components/policy/core/common/policy_loader_win.cc?r1=253358&r2=253357&pathrev=253358

On enterprise machines read policy from the registry.

This will allow the usage of third party policy management
software in enteprise deployments of Chrome on Windows.

BUG=259236

Review URL: https://codereview.chromium.org/152633003
------------------------------------------------------------------------

[chro...@googlecode.com]

Comment #75 on issue 259236 by bugdro...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71

http://code.google.com/p/chromium/issues/detail?id=259236#c75

[chro...@googlecode.com]

Comment #76 on issue 259236 by hans.hw....@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Is this fix already integrated in the current stable release?

[chro...@googlecode.com]

Comment #77 on issue 259236 by pasta...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Not yet. If nothing bad happens with it it should arrive in Chrome 35.
However it should already be visible on the dev channel for testing if you
want.

[chro...@googlecode.com]

Comment #78 on issue 259236 by patricknaly598: Group Policies are ignored

in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

patric...@laposte.net

[chro...@googlecode.com]

Comment #84 on issue 259236 by jamesgst...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Local GPO or AD GPO both work fine to manage chrome settings. This bug is
about editing the registry directly to create the same entries that the GPO
creates. Editing the registry directly does not work as chrome currently
does not look there, but only through the GPO API. This bug is requesting
that Chrome also check the registry to honor the settings there directly.

I am using a management solution that would make it very easy to manage
chrome settings through the registry. It is possible to work around it and
use local GPO, but it is more difficult. This is my solution:
http://bigfix.me/fixlet/details/3747

[chro...@googlecode.com]

Comment #86 on issue 259236 by jamesgst...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

I believe that AD policy is supposed to be the highest priority and should
not be overridable by local GPO.

There might be something you can do to change how the AD policy is applied
to make it less forceful so that it can be overridden. I'm not certain this
would work, but you might try "Action: Create" or "Apply once and do not
reapply" in the AD GPO.

[chro...@googlecode.com]

Comment #90 on issue 259236 by mons...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Hello, I don't understand how do you decided a problem about force install?

I have chrome v35 working on Windows 8.
I change parameters in regedit - it doesn't work (i tried
software/policies/chromium/ and also software/policies/Google/Chrome/).
Also I tried to change in gpedit.msc (local GPO i think) - it doesn't work
(chrome://policy/ - doesn't change [have status : not set]).
I set "ExtensionInstallForceList"
like "extension_id_in_store;https://clients2.google.com/service/update2/crx".

I use extension which has already in store (i tried for start, than i'll
want to try the same method with no-store extension).

Can you explain me?

[chro...@googlecode.com]

Comment #91 on issue 259236 by mons...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

Hello, I don't understand how do you decided a problem about force install?

I have chrome v35 working on Windows 8.
I change parameters in regedit - it doesn't work (i tried
software/policies/chromium/ and also software/policies/Google/Chrome/).
Also I tried to change in gpedit.msc (local GPO i think) - it doesn't work
(chrome://policy/ - doesn't change [have status : not set]).
I set "ExtensionInstallForceList"
like "extension_id_in_store;https://clients2.google.com/service/update2/crx".

I use extension which has already in store (i tried for start, than i'll
want to try the same method with no-store extension).

Can you explain me?

PS::::

I decide this problem. I have a 64bit windows 8, so
HKEY_LOCAL_MACHINE\SOFTWARE\(Wow6432Node)\Google\Chrome\Extensions it is
here.

The next problem is why if i install extension with registry the extension
is default off, and when i launch browser it is ask me to extension ON or
delete?

[chro...@googlecode.com]

Comment #93 on issue 259236 by v.gkcent...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

As #91, even using GPO change in policy settings doesn't reflect in
chrome://policy/
version-36.0.1985.125 m

[chro...@googlecode.com]

Comment #94 on issue 259236 by v.gkcent...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

tried reloading, restarting chrome, machine but doesn't work

[chro...@googlecode.com]

Updates:
Cc: pasta...@chromium.org

Comment #95 on issue 259236 by joaod...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
http://code.google.com/p/chromium/issues/detail?id=259236

What is the policy that you tried to set? Does it work for some policies
but not for others, or it doesn't work at all?

[chro...@googlecode.com]

Comment #97 on issue 259236 by pasta...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71

https://code.google.com/p/chromium/issues/detail?id=259236

@96: What did you put in the policy exactly?

[chro...@googlecode.com]

Comment #98 on issue 259236 by Gruzdev....@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
https://code.google.com/p/chromium/issues/detail?id=259236

Hi, I have same issue
How can I enable ShowModalDialog_EffectiveUntil20150430 on my home mashine
(Windows 8 Home)?
I have no gpedit.msc available
here what I've tried:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\EnableDeprecatedWebPlatformFeatures]
"1" = "ShowModalDialog_EffectiveUntil20150430"

[chro...@googlecode.com]

Comment #99 on issue 259236 by pasta...@chromium.org: Group Policies are

ignored in enterprise version 28.0.1500.71
https://code.google.com/p/chromium/issues/detail?id=259236

Quick search on the internet show that you can get the gpedit.msc tool for
home editions too. I would assume this is not supported my MS and neither
is it supported by Chrome but you can try it out. One search result that
seems to have it is this one
http://www.askvg.com/how-to-enable-group-policy-editor-gpedit-msc-in-windows-7-home-premium-home-basic-and-starter-editions/
- with the disclaimer that I don't know this site and don't know if this
download is legit and legal and whatever it was simply one of the first
hits on my search so use on your own risk or pick your own trusted page.
Also you a word of caution some policies are explicitly disabled for
non-enterprise users due to their high risk of abuse (the one you want to
set is not afaik).

[chro...@googlecode.com]

Comment #100 on issue 259236 by henrique...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
https://code.google.com/p/chromium/issues/detail?id=259236

#97: I did the steps discribed in #11.
Then I configured the policy for ExtensionInstallForceList.
I tried to configure
like "lbfehkoinhhcknnbdgnnmjhiladcgbol;https://clients2.google.com/service/update2/crx",
using a random extension as an example.
The extension was not installed, but in chrome://policy it shows like it is
applied.
I don't know if it should work like that, or I did something wrong. Any
ideas?

[chro...@googlecode.com]

Comment #103 on issue 259236 by joaod...@chromium.org: Group Policies

are ignored in enterprise version 28.0.1500.71
https://code.google.com/p/chromium/issues/detail?id=259236

Why do you think the extension is not installed?

Extensions will appear in chrome://extensions, Apps will appear in
chrome://apps. ""lbfehkoinhhcknnbdgnnmjhiladcgbol" is " is an app so it
does not appear in chrome://extensions.

[chro...@googlecode.com]

Comment #104 on issue 259236 by yuhongba...@hotmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
https://code.google.com/p/chromium/issues/detail?id=259236

#99: Still, can an exception be done for the
EnableDeprecatedWebPlatformFeatures setting. Yes there are tools like
Apply_LGPO_Delta, but I bet connecting to a VPN to browse internal Intranet
sites are not particularly uncommon.
http://blogs.technet.com/b/fdcc/archive/2009/09/15/new-and-updated-local-group-policy-utilities.aspx

[chro...@googlecode.com]

Comment #105 on issue 259236 by manageme...@gmail.com: Group Policies are

ignored in enterprise version 28.0.1500.71
https://code.google.com/p/chromium/issues/detail?id=259236

Chrome Group Policies Not Being Recognized in version 38

[chro...@googlecode.com]

Comment #107 on issue 259236 by rai...@huehne-informatik.ch: Group Policies

are ignored in enterprise version 28.0.1500.71
https://code.google.com/p/chromium/issues/detail?id=259236

Hi there

I am still missing a usable solution to deploy chrome policies to about 200
non-AD WinXP SP3 Machines.

So for my understanding: When Machine is not AD-Joined, you do read the
registry, but GPO is available, and when the machine is not AD joined, you
don't read the reg?? But how to deploy GPOs to non-AD machines? If the
policies cannot be deployed to other machines it's useless, because if I
have to access every computer manually, I can do the settings in chrome
itself!?

Why did you guys not implement a switch for enabling the Reg read?? I
understand the malware problem - but we're not @Apple here - I can decide
for myself, I just need the option to choose.

The machines are in a secure environment, and malware is not a problem. All
I need is to allow pop-ups on certain sites, as these clients are using
chrome app-mode. Therefore I need to allow popups in advance, because
clients are not supposed to be able to access the settings.

And there might be some more sites in future where I need to allow popups...

PLEASE HELP! Many thanks in advance.