Category filter
Script to setup GCPW to specify allowed domains for device sign in
In an organization, ensuring secure access to any device is important. One of the several different ways of doing this is by restricting login access to the devices to allowed domains. On Windows devices, this can be achieved with the help of Google Credential Provider for Windows (GCPW) . GCPW allows users to sign in to their Windows devices using the Google account employed for work. It not only provides users access to the security features that come with their accounts but also enables admins to perform related settings on the devices. For instance, you can use GCPW to configure restrictions to ensure that only accounts belonging to specific domains within Google Workspace sign in to the device.
The following script installs GCPW and updates the GCPW Windows registry key whose value(s) determines the domains to be allowed during the login. This enhances security by ensuring that only specified domains can access Windows devices. Admins can deploy the following script to their Windows devices using Hexnode’s Execute Custom Script action.
The sample scripts provided below are adapted from third-party open-source sites.
PowerShell script
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
try { <# Specify domains which are allowed to login #> $domainsAllowedToLogin = "domain.com" <# Multiple domains should be comma separated eg: $domainsAllowedToLogin = "professional.com,commercial.com" #> <# Choose the GCPW file to download. 32-bit and 64-bit versions have different names #> $gcpwFileName = 'gcpwstandaloneenterprise.msi' if ([Environment]::Is64BitOperatingSystem) { $gcpwFileName = 'gcpwstandaloneenterprise64.msi' } <# File download Path#> $downloadPath = "C:\Hexnode\gcpw.msi" <# Download the GCPW installer. #> $gcpwUrlPrefix = 'https://dl.google.com/credentialprovider/' $gcpwUri = $gcpwUrlPrefix + $gcpwFileName $client = new-object System.Net.WebClient $client.DownloadFile($gcpwUri, $downloadPath) Write-Host "Download completed successfully!" <# Run the GCPW installer and wait for the installation to finish #> $arguments = "/i `"$downloadPath`"" $installProcess = (Start-Process msiexec.exe -ArgumentList $arguments -PassThru -Wait) <# Check if installation was successful #> if ($installProcess.ExitCode -ne 0) { Write-Host 'Installation failed!' exit $installProcess.ExitCode } else { Write-Host 'Installation completed successfully!' } <# Set the required registry key with the allowed domains #> $registryPath = 'HKEY_LOCAL_MACHINE\Software\Google\GCPW' $name = 'domains_allowed_to_login' [microsoft.win32.registry]::SetValue($registryPath, $name, $domainsAllowedToLogin) $domains = Get-ItemPropertyValue HKLM:\Software\Google\GCPW -Name $name if ($domains -eq $domainsAllowedToLogin) { Write-Host 'Configuration completed successfully!' } else { Write-Host 'Could not write to registry. Configuration was not completed.' } } catch { Write-Host $_.Exception.Message } |
The script works in the following order:
- Initially, the approved domains are set to the ‘$domainsAllowedToLogin’ variable.
- The script determines the appropriate Google Credential Provider for Windows (GCPW) installer based on system architecture (32-bit or 64-bit).
- Downloads GCPW from Google’s servers “https://dl.google.com/credentialprovider/”.
- After installation, the script modifies the system’s registry ‘HKEY_LOCAL_MACHINE\Software\Google\GCPW’ to set a specific key with allowed domains for login.
- The script verifies if the registry modification matches the approved domains and confirms a successful configuration.
- The script provides error messages at each step if the setup encounters any issues.
What happens at the device end?
After deploying the script to Windows devices, GCPW is installed on the device and configures its registry based on the specified domains. An “Add work account” option will appear in the login window. When users attempt to sign in to their Google Workspace account using this option, they will only be granted access only if it belongs to the specified domain.
If they try to sign in from an unauthorized domain, an error message appears stating that the email isn’t permitted for sign-in.
This setup ensures a secure login experience across Windows devices within the organization.
- It is recommended to manually validate the script execution on a system before executing the action in bulk.
- Hexnode will not be responsible for any damage/loss to the system on the behavior of the script.
