Add Google to IE search providers with GPO preferences

Dec 6th, 2011 | Posted by | Filed under Group Policy, Windows

There is no setting in group policy default templates for defining the list of Internet Explorer search providers. There is a KB article about how to create a custom template to add search providers to the list and this is probably that can be used in most cases. Another option is to use unattended.xml and configure search providers during deployment. But as I like different approaches and Group Policy Preferences so much, I decided to add Google to the list and set it as default via registry. This will give me more control over default provider setting and also allow users to change that.


REGISTRY SETTINGS

Everything about IE search providers is under a single registry key: “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes”. Each provider GUID has its own sub-key and the default provider is defined by “DefaultScope” string value directly under the root key. I’ve seen various GUIDs for Google search provider, but “{C47BCF4C-D6B5-4D90-9E7D-27CEEEA85E1E}” seems to be latest one for IE8 when adding it from Internet Explorer Gallery website.

image

Unfortunately each provider is defined by more than one value, so there are several values to set. What I did is to simply add Google search provider manually on some computer and then have a look at what are the values under “{C47BCF4C-D6B5-4D90-9E7D-27CEEEA85E1E}” key:

image

There are actually just two values that must be defined for search provider to appear and work:

  • DisplayName
  • URL (Value can be simply: http://www.google.com/q={searchTerms})

When using search recommendations these two must also be defined:

  • ShowSearchSuggestions
  • SuggestionsURL

Additionally, to make it look right, you might consider specifying icon URL as well:

  • FaviconURL
  • FaviconPath (will be created automatically when FaviconURL has been defined)

SET UP GROUP POLICY

Defining these registry settings in Group Policy Preferences is easy. Modify a policy that applies to users of interest and open “User Configuration” > “Preferences” > “Windows Settings” > “Registry” node in Group Policy Management Console (GPMC).

As there are several registry settings, it would be wise to group them by adding collection item first. I named it “IE Search Provider”

imageimage

Now there are two ways to add all the registry items. If Google search provider has been installed on same computer where GPMC is run then you can use “Registry Wizard” to import all the values from local machine:

image

imageimage

After selecting all needed values and completing the wizard there will be hierarchy of collections that reflect selected registry paths:

image

Second option is to add these values one by one manually:

image

The key paths for all items should be “Software\Microsoft\Internet Explorer\SearchScopes\{C47BCF4C-D6B5-4D90-9E7D-27CEEEA85E1E}”.

image

Once I’ve added “DisplayName”, “URL”, “ShowSearchSuggestions”, “SuggestionsURL” and “FaviconURL” values, the search provider is prepared. Then add registry item with “Update” action to change “DefaultScope” value in “Software\Microsoft\Internet Explorer\SearchScopes” key. This value specifies default search provider GUID:

image

As I wanted Google to be initially default search provider but allow users to change that later, I set this registry item to apply only once per user:

image

RESULTS

In the end I’ll have all values defined:

image

Once the user policy is applied, Google will be added to the list of search providers and it will be set as default.

image

IE 8+ CONSIDERATIONS

By now everything should work, but there’s another important consideration with IE8+ browsers. When policy changes default provider to something else than current provider, user will be notified of that change when starting the browser:

image

This is a feature called “Prevent programs from suggesting changes to my default search provider” and I don’t know of any ways around this. This prompt will only show when policy applies to user that has already run the browser earlier. If policy applies to user on first logon, he will not see this prompt because then the default provider has already been set by policy before browser starts.

So, when using Group Policy Preferences to configure search providers, consider that users might get this notification when default provider is changed.

  1. Dan
    Apr 4th, 2012 at 18:34
    Reply | Quote | #1

    I implemented this as you suggested, and it’s mostly working. What isn’t working, is that I don’t have an icon for Bing or Google (the only two providers I’m using). I’ve got the FaviconURL key, and it’s pointing to the correct web site, but both of my bing and google icons look like the default magnifying glass. Any ideas? I’m running Windows 7.

  2. Christjan Schumann
    Apr 5th, 2012 at 10:32
    Reply | Quote | #2

    Hi,
    I haven’t seen that behavior so far, but may be this article can help:
    http://davidcmoisan.wordpress.com/2009/11/09/missing-search-provider-icons-in-internet-explorer/

  3. jimbobmcgee
    Aug 13th, 2012 at 16:28
    Reply | Quote | #3

    The “Prevent programs from suggesting changes to my default search provider” value is controlled by a registry value, also: key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences; value 6256FFB019F8FDFBD36745B06F4540E9AEAF222A25. Feasibly, you can use GPP to delete this value and it will clear the checkbox.

    Of course, it’s not that simple as, when you check that option, IE also adds an explicit ‘deny’ ACE to that key’s ACL, for your user account. Old-school GPO allows you to overwrite registry permissions, but only for the Computer branch (i.e. not the Users branch).

    Instead, one way around this is to use GPP first to push across SetACL (http://helgeklein.com), then to schedule a task to run it to remove the ‘deny’ ACE. You will need to make sure you push across the correct x86/x64 version of SetACL (I push both and use the PROCESSOR_ARCHITECTURE environment variable to determine which to run, but you could use Item-Level Targetting if you have installed the necessary x64 hotfixes). Using an Immediate Task under the user branch, running as %LogonDomain%\%LogonUser%, you should be able to run SetACL:

    “%SYSTEMROOT%\SetACL.%PROCESSOR_ARCHITECTURE%.exe” -on “HKCU\Software\Microsoft\Internet Explorer\User Preferences” -ot reg -actn ace -ace “n:%LogonDomain%\%LogonUser%;p:full;m:set”

    Then you can use REG.EXE to delete the key:

    “%SYSTEMROOT%\system32\reg.exe” delete “HKCU\Software\Microsoft\Internet Explorer\User Preferences” /v 6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 /f

    Timing is the awkward factor here — the SetACL needs to run before the Reg.exe. If you are a Vista/7 shop, you can just add both of these as actions to your Immediate Task and they will be run in order, but if you have some XP clients, still, you will need to make this a batch file, push this along with your copy of SetACL and run that as the Immediate Task.

    If you have to go the batch file route, note that the token “%LogonDomain%\%LogonUser%” might not exist in the context of the batch file (e.g. they might only exist while the GPP is running, not when the task is running), so you might have to pass them as arguments to your batch file, or use the old-form %USERDOMAIN%\%USERNAME%, instead.

    Finally, of course, all of this has to run before the new Search Scope is added, so as to avoid the user prompt, so you might want to consider using Reg.exe to create the Search Scope too, either using a sequence of ‘add’ commands or maybe preferably the ‘import’ command — you could use GPP to push a *.reg file that contains both the deletion of the 6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 value and the creation of the DisplayName/URL/FaviconURLFallback/etc values and schedule that in your Immediate Task (after your SetACL).

    (If you were feeling particularly completist, you could use reg.exe’s ‘export’ command to back up the User Preferences, before you delete them, and put them back when you are done — then the checkbox would appear not to have been altered. You could also use SetACL to put the ‘deny’ ACE back as well).

    Of course, a batch file login script might be the easiest/most-explainable way to do this, but this was about using the features of GPP, not messing about with old tech!!

    J.

  4. Darren
    Feb 5th, 2013 at 19:11
    Reply | Quote | #4

    Can you post the XML of the GPP so we can recreate this easily ourselves? Just select all the rules you created and drag them out onto the desktop. Thanks!

  5. Christjan Schumann
    Feb 5th, 2013 at 21:29
    Reply | Quote | #5

    Darren, it’s a reasonable request, but unfortunately I’m not longer working in the organization where I used to create it, so I don’t have access to that. I hope the instructions in this article are still somewhat helpful to you.