Category filter

Script to setup GCPW to specify allowed domains for device sign in

The following document describes how you can set GCPW allowed domains for device sign-in on Windows devices.

In an organization, ensuring secure access to any device is important. One of the several different ways of doing this is by limiting login access to the devices to allowed domains. On Windows devices, this can be achieved with the help of Google Credential Provider for Windows (GCPW) . GCPW allows users to sign in to their Windows devices using the Google account employed for work. It not only provides users access to the security features that come with their accounts but also enables admins to perform related settings on the devices. For instance, you can use GCPW to configure restrictions to ensure that only accounts belonging to specific domains within Google Workspace sign in to the device.

The following script installs GCPW and updates the GCPW Windows registry key whose value(s) determines the domains to be allowed during the login. This enhances security by ensuring that only specified domains can access Windows devices. Admins can deploy the following script to their Windows devices using Hexnode’s Execute Custom Script action.


The sample scripts provided below are adapted from third-party open-source sites.

PowerShell script

Script to set up GCPW to specify allowed domains

The script works in the following order:

  1. Initially, the approved domains are set to the ‘$domainsAllowedToLogin’ variable.
  2. The script determines the appropriate Google Credential Provider for Windows (GCPW) installer based on system architecture (32-bit or 64-bit).
  3. Downloads GCPW from Google’s servers “”.
  4. After installation, the script modifies the system’s registry ‘HKEY_LOCAL_MACHINE\Software\Google\GCPW’ to set a specific key with allowed domains for login.
  5. The script verifies if the registry modification matches the approved domains and confirms a successful configuration.
  6. The script provides error messages at each step if the setup encounters any issues.

What happens at the device end?

After deploying the script to Windows devices, GCPW is installed on the device and configures its registry based on the specified domains. An “Add work account” option will appear in the login window. When users attempt to sign in to their Google Workspace account using this option, they will only be granted access only if it belongs to the specified domain.

Sign in on Windows devices is restricted to allowed domains setup using GCPW

If they try to sign in from an unauthorized domain, an error message appears stating that the email isn’t permitted for sign-in.

Error message pops up at unauthorized login when GCPW is setup to configure allowed domains

This setup ensures a secure login experience across Windows devices within the organization.


  • It is recommended to manually validate the script execution on a system before executing the action in bulk.
  • Hexnode will not be responsible for any damage/loss to the system on the behavior of the script.

  • Sample Script Repository