- Disable strict name checking with PowerShell - Mon, Sep 1 2014
- ManageEngine Exchange Reporter Plus review - Wed, Aug 20 2014
- EventSentry – Full-spectrum monitoring - Thu, Jul 17 2014
Increasingly in the corporate world we’re seeing not only the want but the need for our users to utilize different web browsers in the workplace. This, of course, poses several problems for us as administrators. With Internet Explorer we have the ability, out of the box, to customize and lock down the settings to protect end users and business interests. We’re not so lucky with other browsers.
Two of the most popular alternative browsers are Firefox and Chrome. They have slowly eaten away at the dominant IE market share practically since their inception. Some of the newer web sites and administrative interfaces are even requiring the Chrome Frame extension for Internet Explorer as it is much easier to develop web pages for Chrome and honestly anything but IE.
Fortunately there are some options to help us out in this predicament. Google offers their own administrative template files to help with GPO. Although Firefox does not support it natively, there is an open source ADM file called FirefoxADM that will allow us automatic configuration through GPO.
Group Policy support comparison
Before we get started, I’ll lay out a brief comparison chart of some of the more important settings so you can get an idea what each of these administrative templates offer in comparison to Internet Explorer.
Internet Explorer - Firefox - Chrome - Group Policy comparison
It’s also important to keep in mind that these templates also support browser specific settings such as ActiveX for Internet Explorer and Google Cloud Print for Chrome.
Download the ADM files
You can download the latest files, including detailed documentation, at the following URL’s:
Ensure you download these files somewhere we can locate them later.
Chrome administrative template
Installing the Chrome administrative template is simpler and more straight-forward process out of the two, so I will cover that first.
Open the zip file (chrome_policy_templates.zip) and navigate to \windows\adm\en-US\ or whatever language you’d like to use and extract the chrome.adm file to a folder that you’ll remember.
Note: I’m using the ADM file. If your environment can utilize ADMX files, there’s a folder for those also.
Open Group Policy Management by going to Start>All Programs>Administrative Tools.
Right click on the group you would like to add this GPO to and click Create a GPO in this domain, and Link it here…
Group Policy Management
Enter a descriptive name for the Policy and click OK.
Right click on the newly created Policy and click Edit. This will open the Group Policy Management Editor. Expand User Configuration>Policies and right click on Administrative Templates. Select Add/Remove Templates…
The Add/Remove Templates: modal box will pop up. Click the Add… button and browse to where you extracted the chrome.adm file, select it, and click Open.
Current Policy Templates
Once the administrative template has been imported, click the Close button.
In the left panel tree view, navigate to User Configuration>Policies>Administrative Templates->Classic Administrative Templates. You will now see the new configuration settings for Google.
Group Policy settings Google Chrome
A really cool feature of this admin template is the ability to still allow users to control some aspects of the program. Take a look around and configure the settings to the requirements of your company.
Note: You’ll notice that the Google Chrome settings also show up under the Computer Configuration. Several admins, including myself, have had issues applying the configuration from there. It is best to use the User Configuration.
Firefox administrative template
Because Firefox does not natively support GPOs, there are a few extra steps that need to be done for us to get it working correctly.
Initially, you will follow the same instructions as with the Chrome admin template install. Extract all of the files, create a new Policy through Group Policy Management, right click the new Policy, and edit it.
New Firefox policy
Just as you did above, expand User Configuration>Policies and right click on Administrative Templates. Select Add/Remove Templates…, click Add… on the dialogue box, and then browse to where you extracted the FirefoxADM files.
This is where the differences start. You will notice that there is not just one ADM file, but two! The two files are firefoxdefaults.adm and firefoxlock.adm.
firefoxdefaults.adm and firefoxlock.adm
Select both of them, click Open, and then Close after the files have been imported.
Group Policy settings Firefox
You’ll notice that not only do you have the Firefox settings under User Configuration>Policies>Administrative Templates->Classic Administrative Templates, but also under Computer Configuration>Policies>Administrative Templates->Classic Administrative Templates and that they’re not the same.
As their locations in the tree suggest, the computer configuration will configure all defaults for Firefox on and machine in the group. The user configuration is user specific.
Now we’ll see how FirefoxADM overcomes the lack of native support. When you extracted the zip you should have noticed some extra VBS files; specifically firefox_login.vbs, firefox_logout.vbs, firefox_shutdown.vbs, and firefox_startup.vbs.
To make these configuration changes VB scripts are used to configure Firefox during login/logout/startup/shutdown. These scripts should be imported to their correct locations inside the Policy.
In Group Policy Management Editor, navigate to Computer Configuration>Policies>Windows Settings and select Scripts (Startup/Shutdown).
Double click Startup in the right pane. A new modal box (Startup Properties) will pop up. Click the Add… button on the right.
Add Firefox startup script
A second dialogue box titled Add a Script will pop up. Click the Browse… button and locate the firefox_startup.vbs file you extracted earlier and double click it. Click OK to close the box.
Add a Script
Click the OK button again to close the Startup Properties modal box. Repeat the steps above for the Shutdown script.
Next, navigate to User Configuration>Policies>Windows Settings and select Scripts (Logon/Logoff). Then just simply repeat the same steps as above pairing the Logon with the firefox_login.vbs and Logoff with firefox_logout.vbs.
That’s it! You’ve just configured GPO for Firefox. Now those scripts will run when the computer is started and shutdown and when a user logs on and logs off.
With Internet Explorer’s market share slowly creeping down to around 50%, we as system administrators need to look at managing the different browsers our users are utilizing. Armed with the information above and the downloadable administrative templates, you can configure Group Policy on your domain for the two most popular alternative browsers: Firefox and Google Chrome.
Want to write for 4sysops? We are looking for new authors.
Good Day Sir!
May I asked if this will work on 2008S-R2 & 2012S-R2?
Interesting topic and informative.
Hi bernard, again I use 2008r2 not 2012. As others said before, these work on 2008r2 and NOT 2012. The firefox config won’t work on anything now (due to Mozilla updating the program constantly and these firefox config files are open source and poorly updated). The chrome config is by Google and should work on anything EXCEPT 2012 according to the above users. I’ve had great success with chrome’s config on my network and decided we’ll just move away from firefox.
Does anyone know which is the latest version of FF that works with this? I can’t seem to get it working.
Only Firefox v1 and v2 used the ‘hostperm.1’ file to set preferences referenced in the login VBScript. Since FF3, that file has been replaced by the ‘permissions.sqlite’ file. I have a modified login script that will access this database file instead of the ‘hostperm.1’ file. It does require that each workstation has the SQLite3 ODBC driver installed. It works quite well from there. My environment is mostly Server 2008 R2 and Windows 7.
Again, hit me up at sgoslin at wfall dot org if you want my revised login script.
Dear plz tell me how to block AddOns form mozilla and chrome in domain controller server 20018r2 through policy, I am tired to do this but faild , So please ant body can help me ????
hi Andrew Jacops
who i Prevent any upload files to like google drive (web) on windows 7 policies
not working with server 2012 R2
I am using 44 version please how to lock proxy setting in firefox please send me how to do
i want to block installation any extension in the firefox browser, now I want to help in the creation a group policy for that.
First, thank you for creating these.
But I am having an odd issue. I’ve followed the steps exactly as shown above. I then put a simple change (static homepage), created a specific user group, and assigned myself to said group.
I’ve rebooted, gpupdate /force, duplicated other working GPOs, and nothing. I can not get the homepage to be what I’ve set in the GPO. Server is running 2012. Workstation is Windows 7 and Firefox is 43.0.4
in which firefox version this works perfectly ?
Good morning all,
I use a Win 2008 Server, but I need the Addon on Firefox to be installed to the GPO works. Is that correct?
Did you guys tried to use the Addon on Firefox with 2012?
Is there an option in Firefox to deny changing the automatic configuration url in firefox, or any option to deny changing any settings in Connection tab for Firefox.
There is an option to set or disable the settings you referenced.
Thanks a lot for this interesting and helpfull post i just discovered. Actually I ve got a .cer certificate that has to be installed on all my domain computers. I ve created a GPO for that on my 2008 DC under: Computer configuration–policies–windows settings–security settings–public key policies and imported it on Trusted root certification authorities. it worked with Internet Explorer and Google Chrome. For mozilla i just followed your post. Unfortunatelly it did’t work. Am I missing something?
I would appreciate your time and help on this.
Hi you try this GPO with the new firefox 2016 October ?
how i can disable search bar from firefox via group policy server 2008 r2 OS window 7,i applied above setting but my home page is not changed as i mentioned in firefox please help.
Thanks for the post to this point the install was as you said. However when I set the Homepage in the User Configuration it does not actually set the Homepage in the browser, still using the default or whatever site I set manually in the FireFox browser. I know the GPO is being applied because I see it on that user when running gpresult /R. I am only making settings for the user not the computer so I didn’t add the scripts you mentioned. Even tried using the Use Internet Explorer Settings option but no change. Would like t stay away from a login or startup script as I need this to happen when the browser is opened. Any ideas?
Your post is really useful
One question about java.
How can I enable Java Plug-in
Is there some place where I can get the complete list comparison of the GPO settings that are available to IE and Chrome? We support IE and are looking at Chrome. Management wants to know what we can and can’t do with Chrome that we can do with IE. Thanks
I am using firefox version 41. i have applied group policy for firefox. i have excempted one site in block popup windows. For some users the site has showed in excemption list and its works fine. some other users the site is not listed and its not working. do you have any idea about this issue.
2. how do i add popup exception list in firefox_login.vbs file. can you guide me or send me the sample file
This is a very great post. Is there an update to this post for Win2012 and the newer versions of Chrome and Firefox? This approach seems like it can help millions of companies who want their intranet as the starting page, but in the users preferred browser.