2. Press and hold or right-click the GPO. On the shortcut menu, the Link Enabled option should have a check mark to show it is enabled. Clear this option to remove the link.

■ Centrally managing special folders

■ User and computer script management

■ Deploying software through Group Policy

■ Automatically configuring Work Folders

■ Automatically enrolling computer and user certificates

■ Managing Automatic Updates in Group Policy

You can use Group Policy to manage users and computers in many different ways. In the sections that follow, I’ll describe some specific management areas, including the following:

■ Folder redirection

■ Computer and user scripts

■ Software deployment

■ Work Folders options

■ Computer and user certificate enrollment

■ Automatic update settings

You can centrally manage special folders used by Windows Server through folder redirection. You do this by redirecting special folders to a central network location instead of using multiple default locations on each computer. For Windows Vista and later releases of Windows, the special folders you can manage are AppData (Roaming), Desktop, Start Menu, Documents, Pictures, Music, Videos, Favorites, Contacts, Downloads, Links, Searches, and Saved Games.

Note that even though current releases of Windows store personal folders in slightly different ways, you manage the folders in the same way within Group Policy.

You have two general options for redirection. You can redirect a special folder to the same network location for all users, or you can designate locations based on user membership in security groups. In either case, you should make sure that the network location you plan to use is available as a network share. See Chapter 4, “Data security and auditing,” for details on sharing data on a network.

By default, users can redirect folders no matter which computer they’re using within the domain. Windows 8.1 and Windows Server 2012 R2 enable you to modify this behavior by specifying from which computers a user can access roaming profiles and redirected folders. You do this by designating certain computers as primary computers, and then configuring domain policy to restrict the downloading of profiles, redirected folders, or both to primary computers. For more information, see Chapter 10, “Managing existing user and group accounts” in Windows Server 2012 R2: Essentials Configuration.

You can redirect a special folder to a single location by following these steps:

1. In the Group Policy Management Console (GPMC), press and hold or right-click the Group Policy object (GPO) for the site, domain, or organizational unit with which you want to work, and then tap or click Edit to open the policy editor for the GPO.

NOTE If you’d rather create a new GPO, press and hold or right-click the site, domain or organizational unit and then select Create A GPO… And Link It here. In the New GPO dialog box, enter a name for the GPO, and then select OK.

2. In the policy editor, expand the following nodes: User Configuration, Policies, Windows Settings, and Folder Redirection.

3. Under Folder Redirection, press and hold or right-click the special folder with which you want to work, such as AppData(Roaming), and then tap or click Properties to open a Properties dialog box similar to the one shown in Figure 6–1.

4. In the Setting list on the Target tab, choose Basic-Redirect Everyone’s Folder To The Same Location.

FIGURE 6–1 Set options for redirection by using a special folder’s Properties dialog box.

5. Under Target Folder Location, you have several options depending on the folder with which you’re working, and those options include the following:

■ Redirect To The User’s Home Directory If you select this option, the folder is redirected to a subdirectory within the user’s home directory. You set the location of the user’s home directory with the %HomeDrive% and %HomePath% environment variables.

■ Create A Folder For Each User Under The Root Path If you select this option, a folder is created for each user at the location you enter in the Root Path text box. The folder name is the user account name as specified by %UserName%. Thus, if you enter the root path value \\Zeta\UserDocuments, the folder for Williams will be located at \\Zeta\UserDocuments\Williams.

■ Redirect To The Following Location If you select this option, the folder is redirected to the location you enter in the Root Path text box. Here, you typically want to use an environment variable to customize the folder location for each user. For example, you could use the root path value \\Zeta\UserData\%UserName%\docs.

■ Redirect To The Local Userprofile Location If you select this option, the folder is redirected to a subdirectory within the user profile directory. You set the location of the user profile with the %UserProfile% variable.

IMPORTANT When specifying the root path, be sure to specify the UNC path for the server and not a local path. The basic syntax for a UNC path is \\ServerName\ShareName, such as \\CorpServer38\CorpData.

6. Tap or click the Settings tab, configure the following additional options, and then tap or click OK to complete the process:

■ Grant The User Exclusive Rights To Gives users full rights to access their data in the special folder.

■ Move The Contents Of FolderName To The New Location Moves the data in the special folders from the individual systems on the network to the central folder or folders.

■ Also Apply Redirection Policy To Applies the redirection policy to previous releases of Windows as well.

You can redirect a special folder based on group membership by following these steps:

1. In the GPMC, press and hold or right-click the GPO for the site, domain, or organizational unit with which you want to work, and then tap or click Edit to open the policy editor for the GPO.

2. In the policy editor, expand the following nodes: User Configuration, Policies, Windows Settings, and Folder Redirection.

3. Under Folder Redirection, press and hold or right-click the special folder with which you want to work, such as AppData(Roaming), and then tap or click Properties.

4. In the Setting list on the Target tab, choose Advanced — Specify Locations For Various User Groups. As shown in Figure 6–2, a Security Group Membership panel is added to the Properties dialog box.