#Powershell #Windows
A company I'm working for is decommissioning a Meraki firewall in the near future. With this piece of hardware gone, there would be no web content filtering for all users in the organization.
As a temporary workaround, I moved all of the existing URL blocks from the Meraki dashboard into a Group Policy Object that targets Chrome and Edge. When creating the policy, the Group Policy Management MMC tool only allows you to put one entry in at a time for the URL Blocking. I would need to copy and paste hundreds of entries to get this updated.
There has to be a faster way. I read through this post [A] and it gave me some information about updating a GPO generally. I tweaked it a bit and targeted both Chrome and Edge in my environment.
Here's how I did it.
ADMX template check
Before you can continue, make sure you have the ADMX files added to the Domain Controller.
I won't cover that in this post (basically download the files and copy over to \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions
and en-US
folders), but check the following guides for deployment information:
When these ADMX templates are added, go to the next step.
Create a Group Policy Object
Now, let's create a GPO policy and change one option per app (Chrome or Edge).
Open the Group Policy Management MMC. Right click on the “Group Policy Objects” container/folder and select “New”:
In the popup, give your GPO a name that you'll remember. Keep the “Source Starter GPO” set to (none).
When that's created, move to the next step to define your blocked sites.
Create the URL list file
The Chromium documentation for this Group Policy Object [A] states that putting in a simple domain name of example.com
will block all http and https requests to any subdomains and the root.
I created a list of URLs in Notepad with one entry on each line, like this example:
facebook.com
twitter.com
youtube.com
This was an easy copy and paste from the Meraki Group Policies page at Network Wide > Configure > Group Policies:
Run some Powershell commands
For these Powershell commands to run, first make sure you are able to connect to a writable Domain Controller. It might be easier to remote into the server and run the commands locally.
I would also recommend appending -whatif
to the end of the Set-GPRegistryValue
in the command below if you're not sure you've done everything correctly.
Also make sure to change the -name
of your GPO to match the one you created in the first few steps.
For adding the URL blocks in Google Chrome, use this command:
Get-Content .\URLlist.txt | foreach {
Set-GPRegistryValue -Name 'XXXyourGPOnameXXX' -ValueName $_ -Type String -Value $_ -Key "HKLM\Software\Policies\Google\Chrome\URLBlocklist"
}
For adding the URL blocks in Microsoft Edge, use this command:
Get-Content .\URLlist.txt | foreach {
Set-GPRegistryValue -Name 'XXXyourGPOnameXXX' -ValueName $_ -Type String -Value $_ -Key "HKLM\Software\Policies\Microsoft\Edge\URLBlocklist"
}
Caveats
Running these Powershell commands can take a long time if you have a lot of entries. My final version had over 100 lines and took about 15 minutes to complete.
You can verify that this worked by opening the Group Policy Management Editor again and clicking on your Policy Object. Select the “Settings” tab. Click “Show All” at the right side and scroll down to the section labelled “Block access to a list of URLs”:
If you need to add/update or remove a URL from this list later on, right click on the Policy Object and select “Edit”. Navigate to the following location:
- Chrome: Computer Configuration > Policies > Administrative Templates > Google Chrome > Block access to a list of URLs
- Edge: Computer Configuration > Policies > Administrative Templates > Microsoft Edge > Block access to a list of URLs
From there, you can click on the “Show” button to make changes to each line.
Discuss...