In this guide, I’m going to show you how to delete Google Chrome’s cached logins using Powershell. I will also show you how to delete the Microsoft Edge cache of saved credentials as the process is very similar.
To do this, I am using a combination of Powershell and pushing it out with PDQ Deploy.
If you don’t have a deployment tool like PDQ, you can still follow this guide and instead push this out as Startup Task/batch file using a GPO.
Why delete saved logins?
In our corporate environment, we just finished implementing Bitwarden as our corporate password manager. The rollout went pretty well. (You may want to read up on the Bitwarden offboarding process if you choose to do the same at your company, though)
For this rollout to effective, we first pushed out Google Chrome Enterprise, Edge Enterprise, and Firefox Enterprise. Then, we added the .ADMX templates to our Domain Controller which allows us to manage everyone’s browser.
The first thing we did was block the install of unapproved extensions (and added Bitwarden to our Allowed Extensions list). Then, we force-installed Bitwarden using GPO.
After that, we sent a company email letting employees that they would no longer be able to sign & sync their personal gmail account into corporate browsers. We also blocked the ability to store passwords to Google Chrome. Once that change was made, it signed everyone’s gmail account out of their browser.
However, I quickly noticed that even though our users were completely signed out, there was still a cache of saved personal passwords. Disabling the “Browser sign-in settings” and “Disable synchronization of data with Google” in Group Policy Management doesn’t delete these passwords. So, I wrote a simple Powershell script that took care of this issue.
How It Works
This script is pretty simple and has two parts:
- Close Google Chrome.
- Delete a Login Data file (located at
C:\Users\username\AppData\Local\Google\Chrome\Default\Login Data\
)
The browser HAS to be closed otherwise it won’t delete this file. It’s also important to note that the Login Data file gets rebuilt everytime the browser is launched, so it’s best to do this once across the entire organization.
I turned this into a PDQ Package that runs both steps.
Powershell Script to Delete Chrome Saved Logins
Here is the script to close the Google Chrome process:
get-process chrome | stop-process -force
And here is the script to delete the Chrome “Login Data” file:
Remove-Item "C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Login Data"
If you are using PDQ Deploy like I am, create a new package and add each script as a new step.
Under the first step, set the Error Mode to “Continue”. Otherwise, if you run this on a computer that already has Chrome closed, then Step 2 won’t run – which means it’ll fail and the passwords will not be removed.
Powershell Script to Delete Microsoft Edge Passwords
Just like the Chrome script, you’ll need to close down Edge first and then delete the Login Data file.
taskkill /IM msedge.exe /F
Remove-Item "C:\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Login Data"
And if using PDQ Deploy for this one as well, make sure to set the Error Mode of Step 1 to “Continue” as well.
Powershell Script to Find & Delete Chrome/Edge Password Exports
This one is optional, but I found it pretty useful. I’m sure if you are implementing a password manager like Bitwarden then you have told your employees to “export your passwords from Chrome by X date, otherwise they will be deleted”.
Chances are many people will export them and import them into their new corporate password manager. However, many will also forget to delete the exported .CSV file which is a huge security concern considering all logins in the .csv are in plain text.
I’m sure there’s a better way to write this powershell script, but here’s what I used and pushed out via PDQ Deploy. This basically checks the Desktop and Downloads folders of all users and deletes the default exported file name. I put this in a PDQ Deploy package and pushed out to all users.
If(Test-Path "C:\users\*\downloads\Microsoft Edge Passwords.csv") { Remove-Item "C:\users\*\downloads\Microsoft Edge Passwords.csv" }
If(Test-Path "C:\users\*\desktop\Microsoft Edge Passwords.csv") { Remove-Item "C:\users\*\desktop\Microsoft Edge Passwords.csv" }
If(Test-Path "C:\users\*\downloads\Chrome Passwords.csv") { Remove-Item "C:\users\*\downloads\Chrome Passwords.csv" }
If(Test-Path "C:\users\*\desktop\Chrome Passwords.csv") { Remove-Item "C:\users\*\desktop\Chrome Passwords.csv" }
Testing It Out
After your package has been created, simply target a list of computers and push it out! I would recommend testing this out against your own computer first or your IT department.
Once it’s ran, you should see your browser force close. The next time you open Chrome, type chrome://settings/passwords into the address bar. You should now see that all passwords have been permanently deleted.
Wrapping Up
All in all, this was a pretty simply way to remove all Chrome/Edge/Firefox passwords from a web browser using Powershell.
I would HIGHLY recommend getting buy-in from your HR department before rolling this out, as well as giving your employees an adequate length of time to import their passwords from Google Chrome into the password manager your company has chosen.
Otherwise, your helpdesk is going to get blown up with password reset requests and you’ll have a lot of unhappy employees when they can’t log into anything.
Hi Danny,
I have tried to use the script to clear passwords from edge. Its deleting the local.data file but not clearing the passwords.
WHat am I missing
Have you confirmed if it’s successfully killing the Microsoft Edge process first before deleting that local data file?
@Shri
I noticed that there are two possible scenarios why may this occur, Edge didn’t shut down fully or your left profile synchronization ON.
For the first issue, I added “Sleep 5” to my powershell script after stopping edge (I am deploying powershell script via Intune) and that fixed it, For the second issue just make sure synchronization is off in Edge (at least for passwords, you can leave the rest of them on).
Is this file path still valid for Chrome 101.0.4951.67 ? I am not seeing this file in the User Data folder. I do see a folder for “Profile 3” which has the Login Data file in it.
@Robert
Yes, it is but if you removed the original profile manually and created a new profile (in Chrome) the Default folder gets replaced with Profile 1, Profile 2, etc… depending on how many times you removed the profile.
Hi Danny, it works but as you said “the Login Data file gets rebuilt everytime the browser is launched”. Everytime Chrome is lauched the credentials reappears., is it possible to remove this re-creation without going into web interface and for entire organization?
The file will always rebuild when launched. You would need to run the Powershell script via PDQ Deploy or similar to delete the credentials for every endpoint, but the browser needs to be closed first.