deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2022-11-23 10:37:22 -05:00
parent 3032b04c25
commit a0d3f02438
2 changed files with 166 additions and 183 deletions
Download Patch File Download Diff File Expand all files Collapse all files

238
windows/security/TOC.yml
View File

@ -45,45 +45,45 @@
href: /windows-hardware/design/device-experiences/oem-highly-secure
- name: Operating system security
items:
- name: Overview
href: operating-system.md
- name: System security
items:
- name: Secure the Windows boot process
href: information-protection/secure-the-windows-10-boot-process.md
- name: Trusted Boot
href: trusted-boot.md
- name: Cryptography and certificate management
href: cryptography-certificate-mgmt.md
- name: The Windows Security app
href: threat-protection/windows-defender-security-center/windows-defender-security-center.md
items:
- name: Virus & threat protection
href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
- name: Account protection
href: threat-protection\windows-defender-security-center\wdsc-account-protection.md
- name: Firewall & network protection
href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
- name: App & browser control
href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
- name: Device security
href: threat-protection\windows-defender-security-center\wdsc-device-security.md
- name: Device performance & health
href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
- name: Family options
href: threat-protection\windows-defender-security-center\wdsc-family-options.md
- name: Security policy settings
href: threat-protection/security-policy-settings/security-policy-settings.md
- name: Security auditing
href: threat-protection/auditing/security-auditing-overview.md
- name: Encryption and data protection
href: encryption-data-protection.md
items:
- name: Encrypted Hard Drive
href: information-protection/encrypted-hard-drive.md
- name: BitLocker
href: information-protection/bitlocker/bitlocker-overview.md
items:
- name: Overview
href: operating-system.md
- name: System security
items:
- name: Secure the Windows boot process
href: information-protection/secure-the-windows-10-boot-process.md
- name: Trusted Boot
href: trusted-boot.md
- name: Cryptography and certificate management
href: cryptography-certificate-mgmt.md
- name: The Windows Security app
href: threat-protection/windows-defender-security-center/windows-defender-security-center.md
items:
- name: Virus & threat protection
href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
- name: Account protection
href: threat-protection\windows-defender-security-center\wdsc-account-protection.md
- name: Firewall & network protection
href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
- name: App & browser control
href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
- name: Device security
href: threat-protection\windows-defender-security-center\wdsc-device-security.md
- name: Device performance & health
href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
- name: Family options
href: threat-protection\windows-defender-security-center\wdsc-family-options.md
- name: Security policy settings
href: threat-protection/security-policy-settings/security-policy-settings.md
- name: Security auditing
href: threat-protection/auditing/security-auditing-overview.md
- name: Encryption and data protection
href: encryption-data-protection.md
items:
- name: Encrypted Hard Drive
href: information-protection/encrypted-hard-drive.md
- name: BitLocker
href: information-protection/bitlocker/bitlocker-overview.md
items:
- name: Overview of BitLocker Device Encryption in Windows
href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
- name: BitLocker frequently asked questions (FAQ)
@ -155,21 +155,21 @@
href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md
- name: Decode Measured Boot logs to track PCR changes
href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
- name: Personal Data Encryption (PDE)
items:
- name: Personal Data Encryption (PDE) overview
href: information-protection/personal-data-encryption/overview-pde.md
- name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
href: information-protection/personal-data-encryption/faq-pde.yml
- name: Configure Personal Data Encryption (PDE) in Intune
href: information-protection/personal-data-encryption/configure-pde-in-intune.md
- name: Configure S/MIME for Windows
href: identity-protection/configure-s-mime.md
- name: Network security
items:
- name: VPN technical guide
href: identity-protection/vpn/vpn-guide.md
items:
- name: Personal Data Encryption (PDE)
items:
- name: Personal Data Encryption (PDE) overview
href: information-protection/personal-data-encryption/overview-pde.md
- name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
href: information-protection/personal-data-encryption/faq-pde.yml
- name: Configure Personal Data Encryption (PDE) in Intune
href: information-protection/personal-data-encryption/configure-pde-in-intune.md
- name: Configure S/MIME for Windows
href: identity-protection/configure-s-mime.md
- name: Network security
items:
- name: VPN technical guide
href: identity-protection/vpn/vpn-guide.md
items:
- name: VPN connection types
href: identity-protection/vpn/vpn-connection-type.md
- name: VPN routing decisions
@ -192,17 +192,17 @@
href: identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
- name: Optimizing Office 365 traffic with the Windows VPN client
href: identity-protection/vpn/vpn-office-365-optimization.md
- name: Windows Defender Firewall
href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
- name: Windows security baselines
href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
items:
- name: Windows Defender Firewall
href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
- name: Windows security baselines
href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
items:
- name: Security Compliance Toolkit
href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
- name: Get support
href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
- name: Virus & threat protection
items:
- name: Virus & threat protection
items:
- name: Overview
href: threat-protection/index.md
- name: Microsoft Defender Antivirus
@ -219,8 +219,8 @@
href: /microsoft-365/security/defender-endpoint/exploit-protection
- name: Microsoft Defender for Endpoint
href: /microsoft-365/security/defender-endpoint
- name: More Windows security
items:
- name: More Windows security
items:
- name: Override Process Mitigation Options to help enforce app-related security policies
href: threat-protection/override-mitigation-options-for-app-related-security-policies.md
- name: Use Windows Event Forwarding to help with intrusion detection
@ -230,9 +230,9 @@
- name: Windows Information Protection (WIP)
href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
items:
- name: Create a WIP policy using Microsoft Intune
href: information-protection/windows-information-protection/overview-create-wip-policy.md
items:
- name: Create a WIP policy using Microsoft Intune
href: information-protection/windows-information-protection/overview-create-wip-policy.md
items:
- name: Create a WIP policy in Microsoft Intune
href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
items:
@ -244,26 +244,26 @@
href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
- name: Determine the enterprise context of an app running in WIP
href: information-protection/windows-information-protection/wip-app-enterprise-context.md
- name: Create a WIP policy using Microsoft Configuration Manager
href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
items:
- name: Create a WIP policy using Microsoft Configuration Manager
href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
items:
- name: Create and deploy a WIP policy in Configuration Manager
href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
- name: Create and verify an EFS Data Recovery Agent (DRA) certificate
href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
- name: Determine the enterprise context of an app running in WIP
href: information-protection/windows-information-protection/wip-app-enterprise-context.md
- name: Mandatory tasks and settings required to turn on WIP
href: information-protection/windows-information-protection/mandatory-settings-for-wip.md
- name: Testing scenarios for WIP
href: information-protection/windows-information-protection/testing-scenarios-for-wip.md
- name: Limitations while using WIP
href: information-protection/windows-information-protection/limitations-with-wip.md
- name: How to collect WIP audit event logs
href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md
- name: General guidance and best practices for WIP
href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md
items:
- name: Mandatory tasks and settings required to turn on WIP
href: information-protection/windows-information-protection/mandatory-settings-for-wip.md
- name: Testing scenarios for WIP
href: information-protection/windows-information-protection/testing-scenarios-for-wip.md
- name: Limitations while using WIP
href: information-protection/windows-information-protection/limitations-with-wip.md
- name: How to collect WIP audit event logs
href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md
- name: General guidance and best practices for WIP
href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md
items:
- name: Enlightened apps for use with WIP
href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
- name: Unenlightened and enlightened app behavior while using WIP
@ -272,36 +272,36 @@
href: information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
- name: Using Outlook Web Access with WIP
href: information-protection/windows-information-protection/using-owa-with-wip.md
- name: Fine-tune WIP Learning
href: information-protection/windows-information-protection/wip-learning.md
- name: Disable WIP
href: information-protection/windows-information-protection/how-to-disable-wip.md
- name: Fine-tune WIP Learning
href: information-protection/windows-information-protection/wip-learning.md
- name: Disable WIP
href: information-protection/windows-information-protection/how-to-disable-wip.md
- name: Application security
items:
- name: Overview
href: apps.md
- name: Windows Defender Application Control and virtualization-based protection of code integrity
href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- name: Windows Defender Application Control
href: threat-protection\windows-defender-application-control\windows-defender-application-control.md
- name: Microsoft Defender Application Guard
href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
- name: Windows Sandbox
href: threat-protection/windows-sandbox/windows-sandbox-overview.md
items:
- name: Overview
href: apps.md
- name: Windows Defender Application Control and virtualization-based protection of code integrity
href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- name: Windows Defender Application Control
href: threat-protection\windows-defender-application-control\windows-defender-application-control.md
- name: Microsoft Defender Application Guard
href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
- name: Windows Sandbox
href: threat-protection/windows-sandbox/windows-sandbox-overview.md
items:
- name: Windows Sandbox architecture
href: threat-protection/windows-sandbox/windows-sandbox-architecture.md
- name: Windows Sandbox configuration
href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
- name: Microsoft Defender SmartScreen overview
href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
items:
- name: Microsoft Defender SmartScreen overview
href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
items:
- name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
href: threat-protection\microsoft-defender-smartscreen\phishing-protection-microsoft-defender-smartscreen.md
- name: Configure S/MIME for Windows
href: identity-protection\configure-s-mime.md
- name: Windows Credential Theft Mitigation Guide Abstract
href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
- name: Configure S/MIME for Windows
href: identity-protection\configure-s-mime.md
- name: Windows Credential Theft Mitigation Guide Abstract
href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
- name: User security and secured identity
items:
- name: Overview
@ -342,15 +342,15 @@
items:
- name: Local Accounts
href: identity-protection/access-control/local-accounts.md
- name: User Account Control
href: identity-protection/user-account-control/user-account-control-overview.md
items:
- name: How User Account Control works
href: identity-protection/user-account-control/how-user-account-control-works.md
- name: User Account Control security policy settings
href: identity-protection/user-account-control/user-account-control-security-policy-settings.md
- name: User Account Control Group Policy and registry key settings
href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
- name: User Account Control
href: identity-protection/user-account-control/user-account-control-overview.md
items:
- name: How User Account Control works
href: identity-protection/user-account-control/how-user-account-control-works.md
- name: User Account Control security policy settings
href: identity-protection/user-account-control/user-account-control-security-policy-settings.md
- name: User Account Control Group Policy and registry key settings
href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
- name: Smart Cards
href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
items:
@ -396,14 +396,14 @@
href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
- name: Cloud services
items:
- name: Overview
href: cloud.md
- name: Mobile device management
href: /windows/client-management/mdm/
- name: Windows 365 Cloud PCs
href: /windows-365/overview
- name: Azure Virtual Desktop
href: /azure/virtual-desktop/
- name: Overview
href: cloud.md
- name: Mobile device management
href: /windows/client-management/mdm/
- name: Windows 365 Cloud PCs
href: /windows-365/overview
- name: Azure Virtual Desktop
href: /azure/virtual-desktop/
- name: Security foundations
items:
- name: Overview

111
windows/security/identity-protection/access-control/local-accounts.md
View File

@ -1,7 +1,7 @@
---
title: Local Accounts
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.date: 22/11/2022
ms.date: 11/22/2022
ms.collection:
- highpri
ms.topic: article
@ -222,7 +222,7 @@ Each of these approaches is described in the following sections.
### <a href="" id="sec-enforce-account-restrictions"></a>Enforce local account restrictions for remote access
The User Account Control (UAC) is a security feature in Windows that has been in use in Windows Server 2008 and in Windows Vista, and the operating systems to which the **Applies To** list refers. UAC enables you to stay in control of your computer by informing you when a program makes a change that requires administrator-level permission. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change how often UAC notifies you.
User Account Control (UAC) is a security feature that informs you when a program makes a change that requires administrative permissions. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change when UAC notifies you.
UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the **Run as** command.
@ -254,70 +254,49 @@ The following table shows the Group Policy and registry settings that are used t
#### To enforce local account restrictions for remote access
1. Start the **Group Policy Management** Console (GPMC).
1. Start the **Group Policy Management** Console (GPMC)
1. In the console tree, expand &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO)
1. In the console tree, right-click **Group Policy Objects > New**
:::image type="content" source="images/localaccounts-proc1-sample1.png" alt-text="local accounts":::
1. In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and &gt; **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer
:::image type="content" source="images/localaccounts-proc1-sample2.png" alt-text="local accounts":::
1. In the details pane, right-click &lt;**gpo\_name**&gt;, and &gt; **Edit**
:::image type="content" source="images/localaccounts-proc1-sample3.png" alt-text="local accounts":::
1. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps:
2. In the console tree, expand &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO).
- Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and &gt; **Security Options**
- Double-click **User Account Control: Run all administrators in Admin Approval Mode** &gt; **Enabled** &gt; **OK**
- Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** &gt; **Enabled** &gt; **OK**
3. In the console tree, right-click **Group Policy Objects**, and &gt; **New**.
1. Ensure that the local account restrictions are applied to network interfaces by following these steps:
![local accounts 1.](images/localaccounts-proc1-sample1.png)
- Navigate to *Computer Configuration\Preferences and Windows Settings*, and > **Registry**
- Right-click **Registry**, and &gt; **New** &gt; **Registry Item**
4. In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and &gt; **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer.
:::image type="content" source="images/localaccounts-proc1-sample4.png" alt-text="local accounts":::
![local accounts 2.](images/localaccounts-proc1-sample2.png)
- In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**
- Ensure that the **Hive** box is set to **HKEY_LOCAL_MACHINE**
- Select (**…**), browse to the following location for **Key Path** &gt; **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`
- In the **Value name** area, type `LocalAccountTokenFilterPolicy`
- In the **Value type** box, from the drop-down list, select **REG_DWORD** to change the value
- In the **Value data** box, ensure that the value is set to **0**
- Verify this configuration, and &gt; **OK**
5. In the details pane, right-click &lt;**gpo\_name**&gt;, and &gt; **Edit**.
:::image type="content" source="images/localaccounts-proc1-sample5.png" alt-text="local accounts":::
![local accounts 3.](images/localaccounts-proc1-sample3.png)
1. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following:
6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps:
- Navigate to the `*Forest*\<Domains>\*Domain*\*OU*` path
- Right-click the **Workstations > Link an existing GPO**
1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and &gt; **Security Options**.
:::image type="content" source="images/localaccounts-proc1-sample6.png" alt-text="local accounts":::
2. Double-click **User Account Control: Run all administrators in Admin Approval Mode** &gt; **Enabled** &gt; **OK**.
3. Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** &gt; **Enabled** &gt; **OK**.
7. Ensure that the local account restrictions are applied to network interfaces by following these steps:
1. Navigate to Computer Configuration\\Preferences and Windows Settings, and &gt; **Registry**.
2. Right-click **Registry**, and &gt; **New** &gt; **Registry Item**.
![local accounts 4.](images/localaccounts-proc1-sample4.png)
3. In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**.
4. Ensure that the **Hive** box is set to **HKEY\_LOCAL\_MACHINE**.
5. Select (**…**), browse to the following location for **Key Path** &gt; **Select** for: **SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**.
6. In the **Value name** area, type **LocalAccountTokenFilterPolicy**.
7. In the **Value type** box, from the drop-down list, select **REG\_DWORD** to change the value.
8. In the **Value data** box, ensure that the value is set to **0**.
9. Verify this configuration, and &gt; **OK**.
![local accounts 5.](images/localaccounts-proc1-sample5.png)
8. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following:
1. Navigate to the &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;\\OU path.
2. Right-click the **Workstations** OU, and &gt; **Link an existing GPO**.
![local accounts 6.](images/localaccounts-proc1-sample6.png)
3. Select the GPO that you created, and &gt; **OK**.
9. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy.
10. Create links to all other OUs that contain workstations.
11. Create links to all other OUs that contain servers.
- Select the GPO that you created, and &gt; **OK**
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
1. Create links to all other OUs that contain workstations
1. Create links to all other OUs that contain servers
### <a href="" id="sec-deny-network-logon"></a>Deny network logon to all local Administrator accounts
Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that stolen credentials for local accounts from a compromised operating system can't be used to compromise other computers that use the same credentials.
@ -325,8 +304,6 @@ Denying local accounts the ability to perform network logons can help prevent a
> [!NOTE]
> To perform this procedure, you must first identify the name of the local, default Administrator account, which might not be the default user name "Administrator", and any other accounts that are members of the local Administrators group.
The following table shows the Group Policy settings that are used to deny network logon for all local Administrator accounts.
|No.|Setting|Detailed Description|
@ -341,12 +318,16 @@ The following table shows the Group Policy settings that are used to deny networ
#### To deny network logon to all local administrator accounts
1. Start the **Group Policy Management** Console (GPMC)
1. In the console tree, expand &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO).
1. In the console tree, right-click **Group Policy Objects**, and &gt; **New**.
1. In the console tree, expand &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO)
1. In the console tree, right-click **Group Policy Objects**, and &gt; **New**
1. In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and then &gt; **OK** where *gpo\_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer
![local accounts 7.](images/localaccounts-proc2-sample1.png)
1. In the details pane, right-click &lt;**gpo\_name**&gt;, and &gt; **Edit**
![local accounts 8.](images/localaccounts-proc2-sample2.png)
1. Configure the user rights to deny network logons for administrative local accounts as follows:
1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\, and &gt; **User Rights Assignment**
1. Double-click **Deny access to this computer from the network**
@ -356,15 +337,17 @@ The following table shows the Group Policy settings that are used to deny networ
1. Double-click **Deny log on through Remote Desktop Services**
1. Select **Add User or Group**, type **Local account and member of Administrators group**, and &gt; **OK**
1. Link the GPO to the first **Workstations** OU as follows:
- Navigate to the &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;\\OU path
- Right-click the **Workstations** OU, and &gt; **Link an existing GPO**
- Select the GPO that you created, and &gt; **OK**
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy.
1. Create links to all other OUs that contain workstations.
1. Create links to all other OUs that contain servers.
> [!NOTE]
> You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers.
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
1. Create links to all other OUs that contain workstations
1. Create links to all other OUs that contain servers
> [!NOTE]
> You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers.
### Create unique passwords for local accounts with administrative rights