Opinion:
So… your company wants to standardize on Chrome, eh? I must say that I admire the ability of merchants who give us the freedom to choose the equivalent of “any color of Model-T as long as it’s black.” ~ Henry Ford. Well, the alternative of embracing Internet Explorer isn’t that much more prudent, if that browser is still even in the game. Firefox is a decent alternative; however, “Precisely 94% of Mozilla revenues came through royalties received by search engines to be featured on its Mozilla Firefox browser” (source: FourWeekMBA), and Mozilla is currently in contract with Google. Hence, Chrome’s current market share of 63.91% (source: statcounter) means that it’s already the majority and positioned to consummate the market further as time progresses. Enough babbling, let’s get into the GPO thing.
Create a GPO to Set Chrome as Default Browser
############ Create the Chrome Default XML file #############
$chromeDefaultXml='
<?xml version="1.0" encoding="UTF-8"?>
<DefaultAssociations>
<Association Identifier=".htm" ProgId="ChromeHTML" ApplicationName="Google Chrome" />
<Association Identifier=".html" ProgId="ChromeHTML" ApplicationName="Google Chrome" />
<Association Identifier="http" ProgId="ChromeHTML" ApplicationName="Google Chrome" />
<Association Identifier="https" ProgId="ChromeHTML" ApplicationName="Google Chrome" />
</DefaultAssociations>
'
$chromeDefaultXmlFile="\\$env:USERDOMAIN\sysvol\$env:USERDNSDOMAIN\Policies\PolicyDefinitions\chromeDefault.xml"
$chromeDefaultXml | out-file $chromeDefaultXmlFile
############ Create the Associated GPO and link it to the Test OU #############
# Create GPO
$gpoName='chromeForWork'
$gpoDescription='Chrome For Work Settings'
New-GPO -Name $gpoName -Comment $gpoDescription
# Link GPO
$ouPath="ou=Test OU,ou=Kung Fu Studios,dc=kimconnect,dc=com"
New-GPLink -Name $gpoName -Target $ouPath
Set Chrome as the Default Browser
Run: GPMC.msc > locate the newly created GPO > Edit > Computer Configuration > Policies > Administrative Template > Windows Components > File Explorer, and double-click Set a default associations configuration file > config it as follows:
- Enabled = true
- Comment = Set Chrome as default Browser
- Options =
\\%USERDOMAIN%\sysvol\%USERDNSDOMAIN%\Policies\PolicyDefinitions\chromedefault.xml
Set Default Home Page(s)
Navigate to User Configuration > Policies > Administrative Templates > Google > Google Chrome > Startup, Home page and new Tab page > make changes to “Configure the home page URL” and “URLs to open on startup” to resemble these images relating to Configure the home page URL, Configure the New Tab page URL, Show Home button on toolbar, URLs to open on startup, an Use New Tab Pas as homepage
Optional: add a loop-back policy
Be advised that a loop-back policy needs to only be configured once. Redundant GPOs with this being set may have undesired effects. Typically, this is set as a separate GPO, associated with the OUs where GPOs being applied to Users and Computers are to be in Merged mode.
Navigate to User Configuration > Policies > Administrative Templates > System > select Group Policy > double-click “Configure user Group Policy loopback processing mode” > Enabled=True, Mode=Merge (do not choose replace) > OK > close the Group Policy Management Editor
Test the effects of this GPO
- Move a few computer or users objects into the Test OU
- run:
gpupdate /force|out-null; gpresult /r|select-string 'chromeForWork'
Troubleshooting
Domain controller(s) with replication in progress issue:
Symptoms:
- GPO would not apply to expected computers and users
- It has been 24 hours, but replication errors still persists
- Other GPOs do not have this error
Resolution:
Check upstream GPOs, especially the ‘Configure user Group Policy loopback processing mode’ item. Such item must be set with ‘merge‘ instead of ‘replace‘ – I’ve written through explanations about the differences somewhere in this blog site.
Additional Notes:
If a GPO fails to apply, there may be DC replication problems caused by network routes and/or firewall ACLs. Although it is possible that certain DCs could not directly replicate with one another while overall replications would success as an aggregate, it’s still worth System Admin’s effort to identify which nodes directional replication have errors so that they are resolved. Here are some commands to continue troubleshooting:
Active Directory Replication Commands
Please be advised that this extra content is out of scope of configuring Chrome. It is included here at the bottom to satisfy members of the forever nerds club.
# Display replication status of all DCs
Repadmin /showrepl * /csv | ConvertFrom-Csv | Out-GridView
# This error would show if server cannot be reached via RPC
# LDAP error 81 (Server Down) Win32 Err 58.
# Check replication status of specific DC
$dcName='DC04.kimconnect.com'
Repadmin /showrepl $dcName
# Possible errors:
#******* 6882 CONSECUTIVE FAILURES since 2020-03-23 15:35:11
#Last error: 1256 (0x4e8):
# The remote system is not available. For information about network #troubleshooting, see Windows Help.
# Test LDAP
$dcName='DC04'
Repadmin /bind $dcName
# Manually replicate between DCs
$dc1='DC04'
$dc2='DC01'
Repadmin /replicate $dc1 $dc2 "de=intranet,dc=kimconnect,dc=com"
# Possible error caused by network firewall ACLs and/or mis-routes
#DsReplicaSync() failed with status 1722 (0x6ba):
# The RPC server is unavailable.
# Check RPC Service status
PS C:\Windows\system32> get-service -ComputerName 'DC04' -name RpcSs
Status Name DisplayName
------ ---- -----------
Running RpcSs Remote Procedure Call (RPC)
# Force replication at target DC
$targetDc='DC04'
enter-psession $targetDc
repadmin /syncall /AdeP
# Check replication statuses
Get-ADReplicationPartnerMetadata -Target "$env:userdnsdomain" -Scope Domain | Select-Object Server, LastReplicationSuccess
1 Domain controller(s) with replication in progress
Replication in Progress - Details
"Active Directory or SysVol is inaccessible on this domain controller or an object is missing."
[DC04]: PS C:\Users\brucelee\Documents> repadmin /syncall /AdeP
### output truncated ###
### Summary of the output ###
SyncAll reported the following errors:
Error contacting server CN=NTDS Settings,CN=DC02,CN=Servers,CN=Sites,CN=Configuration,DC=kimconnect,DC=local (network error): 1727 (0x6bf):
The remote procedure call failed and did not execute.