Disable Password Saving in Chrome Using Group Policy

by Robert Allen

In this guide, you will learn how to block users from saving passwords in the Chrome Browser by using Group Policy.

I’ll show you how to disable saving passwords for all users and for specific users.

Table of Contents:

GPO Disable Chrome Password Saving For All Users

Here are the steps to disable chrome password saving for all domain users.

Step 1: Install Chrome Group Policy Templates

The first step is to download and install the chrome group policy templates.

Click here to download the ADM/ADMX Templates.

download chrome admx templates

Next, extract the downloaded zip file and open the extracted folder. You should see the folders for the adm/admx files.

extract download

Next, log into your domain controller and follow the steps below to install the templates.

Install ADMX Files
In the admx folder, copy and paste the two admx files (chrome.admx & google.admx) into c:\windows\PolicyDefinitions on your domain controller.

Install ADML Files
Browse to your language folder (mine is en-US), copy and paste the two adml files (chrome.adml & google.adml) into the same language folder into c:\windows\PolicyDefinitions on your domain controller.

The chrome GPO templates should now be installed.

Open the group policy editor, and from a new or existing GPO verify, the chrome templates are installed. They will show up under policies -> Administrative Templates – > google for both computer and user configuration.

verify chrome template install

Pro Tip: It is easier to manage and install group policy templates using the group policy central store. This also allows administrators to use the same GPO templates and load them from multiple computers. To learn more check out my guide on How to configure the Group Policy Central Store.

Step 2: Create Chrome Password GPO Policy

With the chrome GPO templates installed, the next step is to create the policy to disable password saving.

1. Create a new GPO and link it to an organizational unit (OU) that contains all users. In my domain, all users are in the ADPRO Users OU.

create new chrome gpo

Give the new GPO a name. I’ve called mine “User – Chrome Settings”.

2. Set the following user configuration policies:

Enable saving passwords to the password manager set to disabled.

  • User Configuration -> Policies -> Administrative Templates -> Google Chrome -> Password manager

Enable AutoFill for addresses set to disabled.

  • User Configuration -> Policies -> Administrative Templates -> Google Chrome

Enable AutoFill for credit cards set to disabled

  • User Configuration -> Policies -> Administrative Templates -> Google Chrome

Import saved passwords from default browser on first run set to disabled.

  • User Configuration -> Policies -> Administrative Templates -> Google Chrome

Disable synchronization of data with google set to enabled.

  • User Configuration -> Policies -> Administrative Templates -> Google Chrome

That completes the GPO settings.

Step 3: GPO Update/Reboot

With the GPO created run gpupdate on a computer or reboot it for the policy to apply.

Here is a screenshot showing the browser password manager enabled, this is before applying the GPO.

chrome password manager enabled screenshot

After applying the GPO, I’ll check chrome and see if the password manager is disabled. With it disabled via GPO the user will not be able to save passwords in the browser or turn on the password manager.

chrome password manager disabled screenshot

GPO Disable Chrome Password Saving For Specific Users

If you want to disable chrome password saving for specific users or groups then follow these steps.

Note: I’m using the same GPO policy from the previous example. The only difference in this example is that I’m using GPO Security Filtering to limit which users the GPO applies to.

Step 1: Create a new Active Directory security group.

For example, I’ll create a new security group called “GPO-Disable-Chrome-Password”.

Next, add the users to the group that you want the GPO to be applied to.

I added three users from various departments.

  • Abel Evans
  • Adam Reed
  • Alma Martin
active directory security group members

Step 2: Add The Security Group to the GPO Security Filtering.

On the scope tab of the GPO click the “Add” button under Security Filtering.

gpo security filtering

Next, add the security group created from step 1. For me, this is my “GPO-disable-chrome-password” group.

add group to security filtering

Then, click the delegation tab at the top.

Next, click the advanced button in the lower right.

Select “Authenticated Users” and uncheck Allow for “Apply group policy”

remove apply group policy authenticated users

Click OK.

Now the GPO is configured to only apply to the configured security group. Any user that is a member of the group will get the GPO applied, all other users will be denied (security filtered) the GPO.

I’ll demonstrate.

I’ll log into a computer as “Adam S Reed” (the user is a member of the configured security group). I’ll use the gpresult command to verify the GPO is being applied.

gpresult /r verify chrome settings

Above you can see the “User – Chrome Settings” GPO is applied.

When I open the chrome browser the password manager is disabled.

Now I’ll log into the computer as “Alan Keys” a user that is not part of the security group.

You can see in the screenshot below the GPO “User – Chome Settings” was not applied (denied).

gpresult /r denied chrome policy

When I open the chrome browser under this user’s login the chrome password manager is enabled.

So that is how you can easily apply a GPO to a specific group of users.

Remove Existing Saved Chrome Passwords

Unfortunately disabling the password manager does not remove existing stored passwords. For new users, this is not an issue but if you are applying this policy to existing users you may want to take additional steps.

To remove the existing stored passwords you will need to delete a “Login Data” file from each user’s profile. The files are located in C:\Users\username\AppData\Local\Google\Chrome\User Data\Default.

chrome login data file

The bad news is there is no GPO setting to remove this file. You will need to create a script and use remote commands such as PsExec or the PowerShell invoke-command to delete this file from remote computers.

Here is a script that will remove the Login Data file from all profiles on a computer. Make sure you test this before running it on production computers.

$users = Get-ChildItem -Path c:\users -Directory
ForEach ($user in $users) {    
remove-item "C:\Users\$user.name\AppData\Local\Google\Chrome\User Data\Default\Login Data" -Force 
}

If you want to know why saving passwords in browsers is bad then check out these two articles.

If you have questions or feedback post a comment below.

Recommended Tools

  • AD Cleanup Tool - Find stale and inactive user and computer accounts in Active Directory. Export, disable, move or delete the stale accounts to increase security.
  • AD User Creation Tool - Bulk import or update Active Directory user accounts. Add users to groups, import into OUs, set multiple attributes and more.
  • NTFS Permissions Tool - Scan and audit NTFS folder permissions. See which users and groups have access to what.
  • AD Reporting Tool - Over 200 reports on users, computers, groups, OUs and more. Customize reports or create your own reports with the report builder.

3 thoughts on “Disable Password Saving in Chrome Using Group Policy”

  1. Great, document, but in my case ADML and ADMX, I put in the folder C:\Windows\SYSVOL\sysvol\\Policies\PolicyDefinitions heare all work fine.

    Reply
    • I think the point is to do that as clean up after you disable password saving entirely. Meaning the first delete is sufficient and is basically like clearing the cache on a system that no longer caches.

      Reply

Leave a Comment