Troubleshoot Active Directory

If you encounter problems on Chrome devices that are managed by Microsoft® Active Directory®, you can perform a number of checks to find and resolve the problem.

Identify and resolve issues

Step 1: Confirm you have the latest ADMX templates
  1. Download the policy templates.
  2. Open the downloaded Chrome Browser bundle and go to Configuration and then admx.
  3. In the zip file, open chromeos and then admx.
  4. Copy the google.admx and chromeos.admx files to your Policy Definition folder. (Example: C:\Windows\PolicyDefinitions)
  5. In the admx folder, open the appropriate language folder. For example, if you’re in the U.S., open the en-US folder.
  6. Copy the google.adml and chromeos.adml files to the matching language folder in your Policy Definition folder. (Example: C:\Windows\PolicyDefinitions\en-US)
  7. Open Group Policy to confirm the files loaded correctly. If an error occurs, it’s usually because the files are in an incorrect location. If needed, correct the locations and confirm again.

For more information, see Set up Chrome Browser on Windows.

Step 2: Did you set the correct type of policy?

Verify that you’re setting the Active Directory policies in the Google Chrome OS folder and not in the Google Chrome folder.

  1. In your Group Policy Management Editor (Computer or User Configuration folder), go to Policies and then  Administrative Templates and then Google and then Google Chrome OS.
  2. Confirm that the folder contains your policies.
Step 3: Make sure you applied the policy to the correct organization

Troubleshoot computer policies

You need to verify that the policy is in a Group Policy Object (GPO) that's linked to the organizational unit that contains the device.

  1. Confirm that the organizational unit contains the Chrome device:
    1. Open Active Directory Users and Computers.
    2. Check that the device is listed in the correct organizational unit.
    3. If the device is in the wrong organizational unit, move the device to the correct one to ensure that your settings are applied to the device.
  2. Confirm that the GPO is linked to the organizational unit containing the device:
    1. Open the Group Policy Management Console.
    2. Select the organizational unit that should contain the device.
      On the right, you’ll see a list of GPOs linked to the organizational unit.
    3. If the GPO that contains the policy is not listed, you need to link it to the organizational unit.

Troubleshoot user policies

You need to verify that you set the policy in a GPO that's linked to the organizational unit that contains the user.

  1. Confirm that the organizational unit contains the user.
    1. Open Active Directory Users and Computers.
    2. Check that the user is listed in the correct organizational unit.
    3. If the user is in the wrong organizational unit, move the user to the correct one to ensure that your settings are applied to the user.
  2. Confirm that the GPO is linked to the organizational unit containing the user:
    1. Open the Group Policy Management Console.
    2. Select the organizational unit that should contain the user.
      On the right, you’ll see a list of GPOs linked to the organizational unit.
    3. If the GPO that contains the policy is not listed, you’ll need to link it to the organizational unit.
Step 4: Confirm the GPOs are loaded on your devices
  1. Get the Unique ID (UID) of the GPOs that you’re investigating:
    1. Open the Group Policy Management Console.
    2. Navigate to and select the GPO.
    3. On the Details tab, make a note of the UID of each GPO you’re investigating.
  2. Turn on Active Directory system logging:
    1. On a Chrome device, press Ctrl+Alt+T to open crosh terminal.
    2. Run the following command:
      authpolicy_debug 3
  3. On your Chromebook, open chrome://policy and click Reload policies.
  4. Open the file:///var/log/authpolicy.log file.
  5. Confirm that the log file contains the UIDs of your GPOs. If it doesn’t, your GPOs are not loading correctly and you need to:
    1. Recheck steps 1-3.
    2. If you cannot identify the problem, open a support ticket or file a bug, that describes how to reproduce the problem. Include Chromad in the bug title.
  6. If the policy is parsed correctly, the log file should contain “Device policy”/”User policy” followed by a list of policy values. If the UID is listed, but the policies don’t display, you need to check that the:
    1. GPO with that UID contains the policies you’re looking for.
    2. GPO status is enabled.
    3. GPO link is enabled.
  7. Open chrome://policy and confirm that the correct policies are listed.
  8. If your policies appear in the logs, but not on chrome://policy, check the logs for an invalid JSON string error.
  9. If you find an invalid JSON string error, check the policy value and run the code through a JSON validator to correct the error.
  10. If the log has no errors, open a support ticket or file a bug that describes the issue. Include Chromad in the bug title.

Devices still not working?

If you followed the troubleshooting steps above and are still having problems, you should collect information from the logs and use it to submit a bug report to Google.

To collect logs, you enable logging from a crosh terminal. If you can’t access a crosh terminal (Chrome isn't available), follow the instructions in Step 2: Collect logs during enrollment.

Step 1: Collect log files to report failed actions
  1. Turn on Active Directory system logging:
    1. On a Chrome device, press Ctrl+Alt+T to open crosh terminal.
    2. Run the following command:
      authpolicy_debug 3
      Note: Logging is turned off automatically after 30 minutes and after a restart.
  2. Open a new Chrome Browser tab.
  3. Perform the failed action that you want to log.
  4. Go to file:///var/log/messages and save the contents of the file.
  5. Turn off Active Directory logging:
    1. On a Chrome device, press Ctrl+Alt+T to open crosh terminal.
    2. Run the following command:
      authpolicy_debug 0
Step 2: Collect logs during enrollment (Optional)

If an error occurs during enrollment when Chrome OS isn’t available yet, follow these steps to gather logs:

  1. Start your device in developer mode. For detailed steps, see the Chromium website. 
  2. On the Join device to domain screen, press Ctrl+Alt+Forward Arrow to open a console.
  3. Enter root as the username.
  4. Enter the following commands:
    sudo -u chronos crosh
    authpolicy_debug 3
    exit
  5. Press Ctrl+Alt+Back Arrow to close the console.
  6. Reproduce the problem on your device.
  7. Press Ctrl+Alt+Forward Arrow to reopen a console.
  8. Use a mounted USB drive to get a copy of the /var/log/authpolicy.log and /var/log/messages files.
    Note: The mount location, such as /dev/sda1, depends on your system. To get the location, run the lsblk (list block devices) command before and after inserting the USB drive.
    Enter the following commands:
    mkdir /media/usb-drive
    mount dev/sda1 /media/usb-drive
    cp /var/log/authpolicy.log /media/usb-drive
    cp /var/log/messages /media/usb-drive
    umount media/usb-drive
    sync
  9. Remove the USB drive.
Step 3: Create a bug report
  1. Go to the Chromium website to log a new bug.
  2. Click New issue.
  3. Enter the Chrome version information and click Next.
  4. Select Enterprise and click Next.
  5. Enter Chromad to start the one-line summary.
  6. Enter a description of the issue and attach your log files.
  7. Click Submit.
Was this helpful?
How can we improve it?