diff --git a/windows/keep-secure/active-directory-accounts.md b/windows/keep-secure/active-directory-accounts.md
index e0fb926735..3b4ee0e979 100644
--- a/windows/keep-secure/active-directory-accounts.md
+++ b/windows/keep-secure/active-directory-accounts.md
@@ -474,7 +474,7 @@ Each default local account in Active Directory has a number of account settings
 <td><p>Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).</p>
 <div class="alert">
 <strong>Note</strong>  
-<p>DES is not enabled by default in Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 7, Windows 8, and Windows 8.1. For these operating systems, you must configure your computers to use the DES-CBC-MD5 or DES-CBC-CRC cipher suites. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see [Hunting down DES in order to securely deploy Kerberos](http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx).</p>
+<p>DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see [Hunting down DES in order to securely deploy Kerberos](http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx).</p>
 </div>
 <div>
  
diff --git a/windows/keep-secure/dynamic-access-control.md b/windows/keep-secure/dynamic-access-control.md
index 195f566716..643a78aa1c 100644
--- a/windows/keep-secure/dynamic-access-control.md
+++ b/windows/keep-secure/dynamic-access-control.md
@@ -132,7 +132,7 @@ If clients do not recognize Dynamic Access Control, there must be a two-way trus
 
 If claims are transformed when they leave a forest, all domain controllers in the user’s forest root must be set at the Windows Server 2012 or higher functional level.
 
-A file server running Windows Server 2012 or Windows Server 2012 R2 must have a Group Policy setting that specifies whether it needs to get user claims for user tokens that do not carry claims. This setting is set by default to **Automatic**, which results in this Group Policy setting to be turned **On** if there is a central policy that contains user or device claims for that file server. If the file server contains discretionary ACLs that include user claims, you need to set this Group Policy to **On** so that the server knows to request claims on behalf of users that do not provide claims when they access the server.
+A file server running a server operating system that supports Dyamic Access Control must have a Group Policy setting that specifies whether it needs to get user claims for user tokens that do not carry claims. This setting is set by default to **Automatic**, which results in this Group Policy setting to be turned **On** if there is a central policy that contains user or device claims for that file server. If the file server contains discretionary ACLs that include user claims, you need to set this Group Policy to **On** so that the server knows to request claims on behalf of users that do not provide claims when they access the server.
 
 ## See also
 
diff --git a/windows/keep-secure/local-accounts.md b/windows/keep-secure/local-accounts.md
index 8497689ccc..e6ce184f9e 100644
--- a/windows/keep-secure/local-accounts.md
+++ b/windows/keep-secure/local-accounts.md
@@ -386,7 +386,7 @@ The following table shows the Group Policy settings that are used to deny networ
 <td><p>Policy name</p></td>
 <td><p>[Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)</p>
 <p>(Windows Server 2008 R2 and later.)</p>
-<p>Deny logon through Terminal Services</p>
+<p>Deny logon through Remote Desktop Services</p>
 <p>(Windows Server 2008)</p></td>
 </tr>
 <tr class="odd">
@@ -437,23 +437,16 @@ The following table shows the Group Policy settings that are used to deny networ
 
     1.  Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then click **User Rights Assignment**.
 
-        **Note**  
-        Depending on the Windows operating system, you can choose the name of the Remote Interactive logon user right.
+    2.  Double-click **Deny log on through Remote Desktop Services**, and then select **Define these settings**.
 
-         
-
-    2.  On computers that run Windows Server 2008, double-click **Deny logon through Terminal Services**, and then select **Define these policy settings**.
-
-    3.  On computers running Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2, double-click **Deny logon through Remote Desktop Services**, and then select **Define these settings**.
-
-    4.  Click **Add User or Group**, type the user name of the default Administrator account, and &gt; **OK**. (The default name is Administrator on US English installations, but it can be renamed either by policy or manually.
+    3.  Click **Add User or Group**, type the user name of the default Administrator account, and &gt; **OK**. (The default name is Administrator on US English installations, but it can be renamed either by policy or manually.
 
         **Important**  
         In the **User and group names** box, type the user name of the account that you identified at the start of this process. Do not click **Browse** and do not type the domain name or the local computer name in this dialog box. For example, type only **Administrator**. If the text that you typed resolves to a name that is underlined or includes a domain name, it restricts the wrong account and causes this mitigation to work incorrectly. Also, be careful that you do not enter the group name Administrator because this also blocks domain accounts in that group.
 
          
 
-    5.  For any additional local accounts in the Administrators group on all of the workstations that you are setting up, click **Add User or Group**, type the user names of these accounts in the dialog box in the same manner as the previous step, and &gt; **OK**.
+    4.  For any additional local accounts in the Administrators group on all of the workstations that you are setting up, click **Add User or Group**, type the user names of these accounts in the dialog box in the same manner as the previous step, and &gt; **OK**.
 
 8.  Link the GPO to the first **Workstations** OU as follows:
 
diff --git a/windows/keep-secure/microsoft-accounts.md b/windows/keep-secure/microsoft-accounts.md
index 2c38dba1d0..6fe85fb192 100644
--- a/windows/keep-secure/microsoft-accounts.md
+++ b/windows/keep-secure/microsoft-accounts.md
@@ -155,14 +155,6 @@ Within your organization, you can set application control policies to regulate a
 
 ## See also
 
+- [Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](https://technet.microsoft.com/library/jj884082(v=ws.11).aspx)
 
-[Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](https://technet.microsoft.com/library/jj884082(v=ws.11).aspx)
-
-
- 
-
- 
-
-
-
-
+- [Access Control Overview](access-control.md)
diff --git a/windows/keep-secure/security-identifiers.md b/windows/keep-secure/security-identifiers.md
index 76c632236f..72f2b8e95b 100644
--- a/windows/keep-secure/security-identifiers.md
+++ b/windows/keep-secure/security-identifiers.md
@@ -41,7 +41,7 @@ SIDs always remain unique. Security authorities never issue the same SID twice,
 
 ## Security identifier architecture
 
-A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, the Windows Server 2012 operating system), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
+A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
 
 ![](images/security-identifider-architecture.jpg)
 
diff --git a/windows/keep-secure/security-principals.md b/windows/keep-secure/security-principals.md
index c91126837d..8bf4f7abd7 100644
--- a/windows/keep-secure/security-principals.md
+++ b/windows/keep-secure/security-principals.md
@@ -138,10 +138,6 @@ For descriptions and settings information about the domain security groups that
 
 For descriptions and settings information about the Special Identities group, see [Special Identities](special-identities.md).
 
- 
-
- 
-
-
-
+## See also
 
+- [Access Control Overview](access-control.md)
\ No newline at end of file