In this guide, you will learn how to block users from saving passwords in the Chrome Browser by using Group Policy.
I’ll show you how to disable saving passwords for all users and for specific users.
Table of Contents:
- GPO Disable Chrome Password Saving For All Users
- GPO Disable Chrome Password For Specific Users
- Remove Existing Saved Chrome Passwords (PowerShell Script)
GPO Disable Chrome Password Saving For All Users
Here are the steps to disable chrome password saving for all domain users.
Step 1: Install Chrome Group Policy Templates
The first step is to download and install the chrome group policy templates.
Click here to download the ADM/ADMX Templates.
Next, extract the downloaded zip file and open the extracted folder. You should see the folders for the adm/admx files.
Next, log into your domain controller and follow the steps below to install the templates.
Install ADMX Files
In the admx folder, copy and paste the two admx files (chrome.admx & google.admx) into c:\windows\PolicyDefinitions on your domain controller.
Install ADML Files
Browse to your language folder (mine is en-US), copy and paste the two adml files (chrome.adml & google.adml) into the same language folder into c:\windows\PolicyDefinitions on your domain controller.
The chrome GPO templates should now be installed.
Open the group policy editor, and from a new or existing GPO verify, the chrome templates are installed. They will show up under policies -> Administrative Templates – > google for both computer and user configuration.
Pro Tip: It is easier to manage and install group policy templates using the group policy central store. This also allows administrators to use the same GPO templates and load them from multiple computers. To learn more check out my guide on How to configure the Group Policy Central Store.
Step 2: Create Chrome Password GPO Policy
With the chrome GPO templates installed, the next step is to create the policy to disable password saving.
1. Create a new GPO and link it to an organizational unit (OU) that contains all users. In my domain, all users are in the ADPRO Users OU.
Give the new GPO a name. I’ve called mine “User – Chrome Settings”.
2. Set the following user configuration policies:
Enable saving passwords to the password manager set to disabled.
- User Configuration -> Policies -> Administrative Templates -> Google Chrome -> Password manager
Enable AutoFill for addresses set to disabled.
- User Configuration -> Policies -> Administrative Templates -> Google Chrome
Enable AutoFill for credit cards set to disabled
- User Configuration -> Policies -> Administrative Templates -> Google Chrome
Import saved passwords from default browser on first run set to disabled.
- User Configuration -> Policies -> Administrative Templates -> Google Chrome
Disable synchronization of data with google set to enabled.
- User Configuration -> Policies -> Administrative Templates -> Google Chrome
That completes the GPO settings.
Step 3: GPO Update/Reboot
With the GPO created run gpupdate on a computer or reboot it for the policy to apply.
Here is a screenshot showing the browser password manager enabled, this is before applying the GPO.
After applying the GPO, I’ll check chrome and see if the password manager is disabled. With it disabled via GPO the user will not be able to save passwords in the browser or turn on the password manager.
GPO Disable Chrome Password Saving For Specific Users
If you want to disable chrome password saving for specific users or groups then follow these steps.
Note: I’m using the same GPO policy from the previous example. The only difference in this example is that I’m using GPO Security Filtering to limit which users the GPO applies to.
Step 1: Create a new Active Directory security group.
For example, I’ll create a new security group called “GPO-Disable-Chrome-Password”.
Next, add the users to the group that you want the GPO to be applied to.
I added three users from various departments.
- Abel Evans
- Adam Reed
- Alma Martin
Step 2: Add The Security Group to the GPO Security Filtering.
On the scope tab of the GPO click the “Add” button under Security Filtering.
Next, add the security group created from step 1. For me, this is my “GPO-disable-chrome-password” group.
Then, click the delegation tab at the top.
Next, click the advanced button in the lower right.
Select “Authenticated Users” and uncheck Allow for “Apply group policy”
Click OK.
Now the GPO is configured to only apply to the configured security group. Any user that is a member of the group will get the GPO applied, all other users will be denied (security filtered) the GPO.
I’ll demonstrate.
I’ll log into a computer as “Adam S Reed” (the user is a member of the configured security group). I’ll use the gpresult command to verify the GPO is being applied.
Above you can see the “User – Chrome Settings” GPO is applied.
When I open the chrome browser the password manager is disabled.
Now I’ll log into the computer as “Alan Keys” a user that is not part of the security group.
You can see in the screenshot below the GPO “User – Chome Settings” was not applied (denied).
When I open the chrome browser under this user’s login the chrome password manager is enabled.
So that is how you can easily apply a GPO to a specific group of users.
Remove Existing Saved Chrome Passwords
Unfortunately disabling the password manager does not remove existing stored passwords. For new users, this is not an issue but if you are applying this policy to existing users you may want to take additional steps.
To remove the existing stored passwords you will need to delete a “Login Data” file from each user’s profile. The files are located in C:\Users\username\AppData\Local\Google\Chrome\User Data\Default.
The bad news is there is no GPO setting to remove this file. You will need to create a script and use remote commands such as PsExec or the PowerShell invoke-command to delete this file from remote computers.
Here is a script that will remove the Login Data file from all profiles on a computer. Make sure you test this before running it on production computers.
$users = Get-ChildItem -Path c:\users -Directory
ForEach ($user in $users) {
remove-item "C:\Users\$user.name\AppData\Local\Google\Chrome\User Data\Default\Login Data" -Force
}If you want to know why saving passwords in browsers is bad then check out these two articles.
- Redline malware shows why passwords shouldn’t be saved in browsers
- Browser password managers – flawed security, by design
If you have questions or feedback post a comment below.
Great, document, but in my case ADML and ADMX, I put in the folder C:\Windows\SYSVOL\sysvol\\Policies\PolicyDefinitions heare all work fine.
The Login Data file is recreated at each chrome opening. How can i disable his recreation?
I think the point is to do that as clean up after you disable password saving entirely. Meaning the first delete is sufficient and is basically like clearing the cache on a system that no longer caches.