Deployment Guide
Windows Group Policy Deployment
Deploy and configure Ghostery across your Windows domain using Active Directory Group Policy Objects (GPO). This guide covers force installation and managed configuration for Chrome, Edge, and Firefox browsers.
Prerequisites
- Windows Server with Active Directory Domain Services
- Group Policy Management Console (GPMC)
- Administrative access to create/edit GPOs
- Browser-specific ADMX templates installed
ADMX Templates
Before configuring browser extension policies, you need the appropriate ADMX administrative templates installed on your domain controller or local machine.
Download Links
| Browser | ADMX Templates |
|---|---|
| Google Chrome | Chrome Enterprise Bundle |
| Microsoft Edge | Microsoft Edge for Business |
| Mozilla Firefox | Mozilla Policy Templates |
Installing ADMX Templates
- Download the template package for your target browser from the links above.
- Extract the ADMX files from the downloaded package.
-
Copy files to PolicyDefinitions:
- Domain-wide:
\\domain\SYSVOL\domain\Policies\PolicyDefinitions\ - Local machine:
C:\Windows\PolicyDefinitions\
- Domain-wide:
-
Copy language files (ADML) to the appropriate language subfolder (e.g.,
en-US).
Deploy to Google Chrome
Force Install the Extension
- Open Group Policy Management and create or edit a GPO linked to your target OU.
-
Navigate to:
Computer Configuration → Administrative Templates → Google → Google Chrome → Extensions - Enable "Configure the list of force-installed apps and extensions"
-
Add the following entry:
mlomiejdfkolichcflejclcbmpeaniij;https://clients2.google.com/service/update2/crx
Configure Extension Settings
To configure Ghostery behavior (disable onboarding, lock settings, etc.), add registry entries under:
HKLM\Software\Policies\Google\Chrome\3rdparty\extensions\mlomiejdfkolichcflejclcbmpeaniij\policyAdd the following registry values:
| Name | Type | Value |
|---|---|---|
disableOnboarding |
REG_DWORD | 1 |
disableUserControl |
REG_DWORD | 1 |
customFilters |
Subkey with numbered REG_SZ values | 1="||ads.example.com^", 2="example.com##.banner-ad" |
Tip: Use a GPO Preferences Registry item to deploy these values across your domain.
Custom Filters Examples
The customFilters policy accepts an array of adblock filter rules. In the registry, this is stored as a subkey with numbered REG_SZ values (starting at 1). Filters fall into two categories: network filters (block/allow HTTP requests) and cosmetic filters (hide page elements).
Network Filters
| Rule Type | Syntax | Example |
|---|---|---|
| Block domain | ||domain^ |
||tracking.vendor.com^ |
| Block URL path | ||domain/path |
||analytics.com/collect |
| Block third-party only | ||domain^$third-party |
||pixel-tracker.com^$third-party |
| Block scripts | ||domain^$script |
||ads.vendor.com^$script |
| Block XHR/fetch | ||domain^$xhr |
||telemetry.service.com^$xhr |
| Block images | ||domain/path$image |
||tracker.com/pixel.gif$image |
| Redirect to no-op | ||domain^$redirect=noopjs |
||ads.vendor.com/sdk.js$redirect=noopjs |
| Combined modifiers | ||domain^$mod1,mod2 |
||ads.vendor.com^$script,third-party |
| Exception (whitelist) | @@||domain^ |
@@||cdn.company.com^ |
| Disable element hiding | @@||domain^$elemhide |
@@||intranet.company.com^$elemhide |
Cosmetic Filters
| Rule Type | Syntax | Example |
|---|---|---|
| Hide by class | domain##.class |
intranet.company.com##.promo-banner |
| Hide by ID | domain###id |
portal.company.com###ad-sidebar |
| Hide by attribute | domain##[attr="val"] |
company.com##[data-role="advertisement"] |
| Hide with :has() | domain##.el:has(.child) |
company.com##div:has(> .sponsored-label) |
| Hide globally | ##.class |
##.cookie-consent-popup |
| Scriptlet injection | domain##+js(name, args) |
company.com##+js(set, ads.enabled, false) |
| Cosmetic exception | domain#@#.class |
intranet.company.com#@#.banner |
To deploy custom filters via a .reg file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\3rdparty\extensions\mlomiejdfkolichcflejclcbmpeaniij\policy\customFilters]
"1"="||tracking.vendor.com^"
"2"="||telemetry.service.com^$xhr"
"3"="||ads.vendor.com^$script,third-party"
"4"="intranet.company.com##.promo-banner"
"5"="portal.company.com###ad-sidebar"
"6"="@@||cdn.company.com^"
"7"="saas-tool.com##+js(set, ads.enabled, false)"Or via PowerShell in a GPO startup script:
$regPath = "HKLM:\Software\Policies\Google\Chrome\3rdparty\extensions\mlomiejdfkolichcflejclcbmpeaniij\policy\customFilters"
New-Item -Path $regPath -Force
$filters = @(
'||tracking.vendor.com^',
'||telemetry.service.com^$xhr',
'||ads.vendor.com^$script,third-party',
'intranet.company.com##.promo-banner',
'portal.company.com###ad-sidebar',
'@@||cdn.company.com^',
'saas-tool.com##+js(set, ads.enabled, false)'
)
for ($i = 0; $i -lt $filters.Count; $i++) {
New-ItemProperty -Path $regPath -Name ($i + 1) -Value $filters[$i] -PropertyType String -Force
}Tip: See the Policy Reference for the complete filter syntax reference including all network modifiers, scriptlets, and advanced selectors.
Deploy to Microsoft Edge
Force Install the Extension
- Open Group Policy Management and create or edit a GPO linked to your target OU.
-
Navigate to:
Computer Configuration → Administrative Templates → Microsoft Edge → Extensions - Enable "Control which extensions are installed silently"
-
Add the following entry:
fclbdkbhjlgkbpfldjodgjncejkkjcme;https://edge.microsoft.com/extensionwebstorebase/v1/crx
Configure Extension Settings
Configure Ghostery settings via registry under:
HKLM\Software\Policies\Microsoft\Edge\3rdparty\extensions\fclbdkbhjlgkbpfldjodgjncejkkjcme\policyUse the same registry values as Chrome (see table above).
Deploy to Mozilla Firefox
Firefox extension deployment via GPO requires a different approach using managed storage manifests.
Force Install the Extension
- Open Group Policy Management and edit your GPO.
-
Navigate to:
Computer Configuration → Administrative Templates → Mozilla → Firefox → Extensions - Enable "Extensions to Install"
-
Add the Firefox Add-ons URL:
https://addons.mozilla.org/firefox/downloads/latest/ghostery/latest.xpi
Configure Extension Settings
Firefox uses a JSON manifest file for managed storage. Create a file with the following content:
{
"name": "firefox@ghostery.com",
"description": "Ghostery managed configuration",
"type": "storage",
"data": {
"disableOnboarding": true,
"disableUserControl": true,
"trustedDomains": ["your-company.com"]
}
}-
Save this file to a network share accessible by all computers, e.g.:
\\domain\NETLOGON\ghostery\ghostery-config.json -
Create a registry key pointing to this file:
HKLM\SOFTWARE\Mozilla\ManagedStorage\firefox@ghostery.com
Set the (Default) value to the full path of your JSON file.
Verify Deployment
After applying the GPO and running gpupdate /force on target machines:
Chrome
Navigate to chrome://policy and verify the extension appears in the ExtensionInstallForcelist.
Edge
Navigate to edge://policy and verify the extension appears in the force-install list.
Firefox
Navigate to about:policies and verify the extension is listed under Extensions.
Need Help?
Our enterprise support team is ready to assist with your deployment.
Contact Enterprise Support