diff --git a/windows/keep-secure/active-directory-security-groups.md b/windows/keep-secure/active-directory-security-groups.md
index 0bf7a79a16..552c86b75a 100644
--- a/windows/keep-secure/active-directory-security-groups.md
+++ b/windows/keep-secure/active-directory-security-groups.md
@@ -2231,6 +2231,7 @@ The Key Admins group applies to versions of the Windows Server operating system
 | Default members | None |
 | Default member of | None |
 | Protected by ADMINSDHOLDER? | No |
+| Safe to move out of default container? | Yes |
 | Safe to delegate management of this group to non-Service admins? | No |
 | Default User Rights | None |
 
@@ -3351,6 +3352,7 @@ The Storage Replica Administrators group applies to versions of the Windows Serv
 | Default members | None |
 | Default member of | None |
 | Protected by ADMINSDHOLDER? | No |
+| Safe to move out of default container? | Yes |
 | Safe to delegate management of this group to non-Service admins? | No |
 | Default User Rights | None |
 
@@ -3371,6 +3373,7 @@ The System Managed Accounts group applies to versions of the Windows Server oper
 | Default members | Users |
 | Default member of | None |
 | Protected by ADMINSDHOLDER? | No |
+| Safe to move out of default container? | Yes |
 | Safe to delegate management of this group to non-Service admins? | No |
 | Default User Rights | None |
 
diff --git a/windows/keep-secure/dynamic-access-control.md b/windows/keep-secure/dynamic-access-control.md
index 643a78aa1c..466562cc90 100644
--- a/windows/keep-secure/dynamic-access-control.md
+++ b/windows/keep-secure/dynamic-access-control.md
@@ -16,7 +16,7 @@ This overview topic for the IT professional describes Dynamic Access Control and
 
 Domain-based Dynamic Access Control enables administrators to apply access-control permissions and restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access these resources.
 
-For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used, a user’s permissions change dynamically without additional administrator intervention if the user’s job or role changes (resulting in changes to the user’s account attributes in AD DS).
+For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used, a user’s permissions change dynamically without additional administrator intervention if the user’s job or role changes (resulting in changes to the user’s account attributes in AD DS). For more detailed examples of Dynamic Access Control in use, see the scenarios described in [Dynamic Access Control: Scenario Overview](https://technet.microsoft.com/windows-server-docs/identity/solution-guides/dynamic-access-control--scenario-overview).
 
 Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. When Dynamic Access Control is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes.