I need someone to step me through setting up Group Policy restrictions. I thought I had them set correctly but evidently not. The situation is this - we have a school network running Windows Server 2003 and all the clients running Windows XP Pro. The goal is to restrict the students from saving profile changes when they log out and to prevent them from installing any applications. There is an OU called School Users with a sub-group called Students and that has sub-groups by grade level. Do I need to set these restriction at the main OU level? And could someone step me through what I need to do? I must be missing somehitng because what I did did not work and students profiles are growing way beyond what we want.