updates

2025-06-16 10:53:43 +00:00 · 2022-11-23 10:37:22 -05:00
parent 3032b04c25
commit a0d3f02438
2 changed files with 166 additions and 183 deletions
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@ -45,45 +45,45 @@
      href: /windows-hardware/design/device-experiences/oem-highly-secure
 - name: Operating system security
  items:
-   - name: Overview
+    - name: Overview
-     href: operating-system.md
+      href: operating-system.md
-   - name: System security
+    - name: System security
-     items:
+      items:
-     - name: Secure the Windows boot process
+      - name: Secure the Windows boot process
-       href: information-protection/secure-the-windows-10-boot-process.md
+        href: information-protection/secure-the-windows-10-boot-process.md
-     - name: Trusted Boot
+      - name: Trusted Boot
-       href: trusted-boot.md
+        href: trusted-boot.md
-     - name: Cryptography and certificate management
+      - name: Cryptography and certificate management
-       href: cryptography-certificate-mgmt.md
+        href: cryptography-certificate-mgmt.md
-     - name: The Windows Security app
+      - name: The Windows Security app
-       href: threat-protection/windows-defender-security-center/windows-defender-security-center.md
+        href: threat-protection/windows-defender-security-center/windows-defender-security-center.md
-       items:
+        items:
-       - name: Virus & threat protection
+        - name: Virus & threat protection
-         href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
+          href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
-       - name: Account protection
+        - name: Account protection
-         href: threat-protection\windows-defender-security-center\wdsc-account-protection.md
+          href: threat-protection\windows-defender-security-center\wdsc-account-protection.md
-       - name: Firewall & network protection
+        - name: Firewall & network protection
-         href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
+          href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
-       - name: App & browser control
+        - name: App & browser control
-         href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
+          href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
-       - name: Device security
+        - name: Device security
-         href: threat-protection\windows-defender-security-center\wdsc-device-security.md
+          href: threat-protection\windows-defender-security-center\wdsc-device-security.md
-       - name: Device performance & health
+        - name: Device performance & health
-         href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
+          href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
-       - name: Family options
+        - name: Family options
-         href: threat-protection\windows-defender-security-center\wdsc-family-options.md
+          href: threat-protection\windows-defender-security-center\wdsc-family-options.md
-     - name: Security policy settings
+      - name: Security policy settings
-       href: threat-protection/security-policy-settings/security-policy-settings.md
+        href: threat-protection/security-policy-settings/security-policy-settings.md
-     - name: Security auditing
+      - name: Security auditing
-       href: threat-protection/auditing/security-auditing-overview.md
+        href: threat-protection/auditing/security-auditing-overview.md
-   - name: Encryption and data protection
+    - name: Encryption and data protection
-     href: encryption-data-protection.md
+      href: encryption-data-protection.md
-     items:
+      items:
-     - name: Encrypted Hard Drive
+      - name: Encrypted Hard Drive
-       href: information-protection/encrypted-hard-drive.md
+        href: information-protection/encrypted-hard-drive.md
-     - name: BitLocker
+      - name: BitLocker
-       href: information-protection/bitlocker/bitlocker-overview.md
+        href: information-protection/bitlocker/bitlocker-overview.md
-       items:
+        items:
        - name: Overview of BitLocker Device Encryption in Windows
          href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
        - name: BitLocker frequently asked questions (FAQ)
@ -155,21 +155,21 @@
                  href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md
                - name: Decode Measured Boot logs to track PCR changes
                  href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
-     - name: Personal Data Encryption (PDE)
+      - name: Personal Data Encryption (PDE)
-       items:
+        items:
-       - name: Personal Data Encryption (PDE) overview
+        - name: Personal Data Encryption (PDE) overview
-         href: information-protection/personal-data-encryption/overview-pde.md
+          href: information-protection/personal-data-encryption/overview-pde.md
-       - name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
+        - name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
-         href: information-protection/personal-data-encryption/faq-pde.yml
+          href: information-protection/personal-data-encryption/faq-pde.yml
-       - name: Configure Personal Data Encryption (PDE) in Intune
+        - name: Configure Personal Data Encryption (PDE) in Intune
-         href: information-protection/personal-data-encryption/configure-pde-in-intune.md    
+          href: information-protection/personal-data-encryption/configure-pde-in-intune.md    
-     - name: Configure S/MIME for Windows
+      - name: Configure S/MIME for Windows
-       href: identity-protection/configure-s-mime.md
+        href: identity-protection/configure-s-mime.md
-   - name: Network security
+    - name: Network security
-     items:
+      items:
-     - name: VPN technical guide
+      - name: VPN technical guide
-       href: identity-protection/vpn/vpn-guide.md
+        href: identity-protection/vpn/vpn-guide.md
-       items:
+        items:
        - name: VPN connection types
          href: identity-protection/vpn/vpn-connection-type.md
        - name: VPN routing decisions
@ -192,17 +192,17 @@
          href: identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
        - name: Optimizing Office 365 traffic with the Windows VPN client
          href: identity-protection/vpn/vpn-office-365-optimization.md
-     - name: Windows Defender Firewall
+      - name: Windows Defender Firewall
-       href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+        href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
-   - name: Windows security baselines
+    - name: Windows security baselines
-     href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+      href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
-     items:
+      items:
      - name: Security Compliance Toolkit
        href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
      - name: Get support
        href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
-   - name: Virus & threat protection
+    - name: Virus & threat protection
-     items:
+      items:
      - name: Overview
        href: threat-protection/index.md
      - name: Microsoft Defender Antivirus
@ -219,8 +219,8 @@
        href: /microsoft-365/security/defender-endpoint/exploit-protection
      - name: Microsoft Defender for Endpoint
        href: /microsoft-365/security/defender-endpoint
-   - name: More Windows security
+    - name: More Windows security
-     items:
+      items:
      - name: Override Process Mitigation Options to help enforce app-related security policies
        href: threat-protection/override-mitigation-options-for-app-related-security-policies.md
      - name: Use Windows Event Forwarding to help with intrusion detection
@ -230,9 +230,9 @@
      - name: Windows Information Protection (WIP)
        href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
        items:
-         - name: Create a WIP policy using Microsoft Intune
+          - name: Create a WIP policy using Microsoft Intune
-           href: information-protection/windows-information-protection/overview-create-wip-policy.md
+            href: information-protection/windows-information-protection/overview-create-wip-policy.md
-           items:
+            items:
            - name: Create a WIP policy in Microsoft Intune
              href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
              items:
@ -244,26 +244,26 @@
              href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
            - name: Determine the enterprise context of an app running in WIP
              href: information-protection/windows-information-protection/wip-app-enterprise-context.md
-         - name: Create a WIP policy using Microsoft Configuration Manager
+          - name: Create a WIP policy using Microsoft Configuration Manager
-           href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
+            href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
-           items:
+            items:
            - name: Create and deploy a WIP policy in Configuration Manager
              href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
            - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
              href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
            - name: Determine the enterprise context of an app running in WIP
              href: information-protection/windows-information-protection/wip-app-enterprise-context.md
-         - name: Mandatory tasks and settings required to turn on WIP
+          - name: Mandatory tasks and settings required to turn on WIP
-           href: information-protection/windows-information-protection/mandatory-settings-for-wip.md
+            href: information-protection/windows-information-protection/mandatory-settings-for-wip.md
-         - name: Testing scenarios for WIP
+          - name: Testing scenarios for WIP
-           href: information-protection/windows-information-protection/testing-scenarios-for-wip.md
+            href: information-protection/windows-information-protection/testing-scenarios-for-wip.md
-         - name: Limitations while using WIP
+          - name: Limitations while using WIP
-           href: information-protection/windows-information-protection/limitations-with-wip.md
+            href: information-protection/windows-information-protection/limitations-with-wip.md
-         - name: How to collect WIP audit event logs
+          - name: How to collect WIP audit event logs
-           href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+            href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md
-         - name: General guidance and best practices for WIP
+          - name: General guidance and best practices for WIP
-           href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md
+            href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md
-           items:
+            items:
            - name: Enlightened apps for use with WIP
              href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
            - name: Unenlightened and enlightened app behavior while using WIP
@ -272,36 +272,36 @@
              href: information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
            - name: Using Outlook Web Access with WIP
              href: information-protection/windows-information-protection/using-owa-with-wip.md
-         - name: Fine-tune WIP Learning
+          - name: Fine-tune WIP Learning
-           href: information-protection/windows-information-protection/wip-learning.md
+            href: information-protection/windows-information-protection/wip-learning.md
-         - name: Disable WIP
+          - name: Disable WIP
-           href: information-protection/windows-information-protection/how-to-disable-wip.md
+            href: information-protection/windows-information-protection/how-to-disable-wip.md
 - name: Application security
  items:
-   - name: Overview
+    - name: Overview
-     href: apps.md
+      href: apps.md
-   - name: Windows Defender Application Control and virtualization-based protection of code integrity
+    - name: Windows Defender Application Control and virtualization-based protection of code integrity
-     href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+      href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
-   - name: Windows Defender Application Control
+    - name: Windows Defender Application Control
-     href: threat-protection\windows-defender-application-control\windows-defender-application-control.md
+      href: threat-protection\windows-defender-application-control\windows-defender-application-control.md
-   - name: Microsoft Defender Application Guard
+    - name: Microsoft Defender Application Guard
-     href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
+      href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
-   - name: Windows Sandbox
+    - name: Windows Sandbox
-     href: threat-protection/windows-sandbox/windows-sandbox-overview.md
+      href: threat-protection/windows-sandbox/windows-sandbox-overview.md
-     items:
+      items:
        - name: Windows Sandbox architecture
          href: threat-protection/windows-sandbox/windows-sandbox-architecture.md
        - name: Windows Sandbox configuration
          href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
-   - name: Microsoft Defender SmartScreen overview
+    - name: Microsoft Defender SmartScreen overview
-     href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+      href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
-     items:
+      items:
        - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
          href: threat-protection\microsoft-defender-smartscreen\phishing-protection-microsoft-defender-smartscreen.md
-   - name: Configure S/MIME for Windows
+    - name: Configure S/MIME for Windows
-     href: identity-protection\configure-s-mime.md
+      href: identity-protection\configure-s-mime.md
-   - name: Windows Credential Theft Mitigation Guide Abstract
+    - name: Windows Credential Theft Mitigation Guide Abstract
-     href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
+      href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
 - name: User security and secured identity
  items:
    - name: Overview
@ -342,15 +342,15 @@
      items:
        - name: Local Accounts
          href: identity-protection/access-control/local-accounts.md
-        - name: User Account Control
+    - name: User Account Control
-          href: identity-protection/user-account-control/user-account-control-overview.md
+      href: identity-protection/user-account-control/user-account-control-overview.md
-          items:
+      items:
-            - name: How User Account Control works
+        - name: How User Account Control works
-              href: identity-protection/user-account-control/how-user-account-control-works.md
+          href: identity-protection/user-account-control/how-user-account-control-works.md
-            - name: User Account Control security policy settings
+        - name: User Account Control security policy settings
-              href: identity-protection/user-account-control/user-account-control-security-policy-settings.md
+          href: identity-protection/user-account-control/user-account-control-security-policy-settings.md
-            - name: User Account Control Group Policy and registry key settings
+        - name: User Account Control Group Policy and registry key settings
-              href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+          href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
    - name: Smart Cards
      href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
      items:
@ -396,14 +396,14 @@
              href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
 - name: Cloud services
  items:
-   - name: Overview
+    - name: Overview
-     href: cloud.md
+      href: cloud.md
-   - name: Mobile device management
+    - name: Mobile device management
-     href: /windows/client-management/mdm/
+      href: /windows/client-management/mdm/
-   - name: Windows 365 Cloud PCs
+    - name: Windows 365 Cloud PCs
-     href: /windows-365/overview
+      href: /windows-365/overview
-   - name: Azure Virtual Desktop
+    - name: Azure Virtual Desktop
-     href: /azure/virtual-desktop/
+      href: /azure/virtual-desktop/
 - name: Security foundations
  items:
    - name: Overview
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@ -1,7 +1,7 @@
 ---
 title: Local Accounts
 description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
-ms.date: 22/11/2022
+ms.date: 11/22/2022
 ms.collection: 
  - highpri
 ms.topic: article
@ -222,7 +222,7 @@ Each of these approaches is described in the following sections.
 ### <a href="" id="sec-enforce-account-restrictions"></a>Enforce local account restrictions for remote access
-The User Account Control (UAC) is a security feature in Windows that has been in use in Windows Server 2008 and in Windows Vista, and the operating systems to which the **Applies To** list refers. UAC enables you to stay in control of your computer by informing you when a program makes a change that requires administrator-level permission. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change how often UAC notifies you.
+User Account Control (UAC) is a security feature that informs you when a program makes a change that requires administrative permissions. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change when UAC notifies you.
 UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the **Run as** command.
@ -254,70 +254,49 @@ The following table shows the Group Policy and registry settings that are used t
 #### To enforce local account restrictions for remote access
-1.  Start the **Group Policy Management** Console (GPMC).
+1. Start the **Group Policy Management** Console (GPMC)
 1. In the console tree, expand &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO)
 1. In the console tree, right-click **Group Policy Objects > New**
  :::image type="content" source="images/localaccounts-proc1-sample1.png" alt-text="local accounts":::
 1. In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and &gt; **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer
  :::image type="content" source="images/localaccounts-proc1-sample2.png" alt-text="local accounts":::
 1. In the details pane, right-click &lt;**gpo\_name**&gt;, and &gt; **Edit**
  :::image type="content" source="images/localaccounts-proc1-sample3.png" alt-text="local accounts":::
 1. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps:
-2.  In the console tree, expand &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO).
+  - Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and &gt; **Security Options**
  - Double-click **User Account Control: Run all administrators in Admin Approval Mode** &gt; **Enabled** &gt; **OK**
  - Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** &gt; **Enabled** &gt; **OK**
-3.  In the console tree, right-click **Group Policy Objects**, and &gt; **New**.
+1. Ensure that the local account restrictions are applied to network interfaces by following these steps:
-  ![local accounts 1.](images/localaccounts-proc1-sample1.png)
+  - Navigate to *Computer Configuration\Preferences and Windows Settings*, and > **Registry**
  - Right-click **Registry**, and &gt; **New** &gt; **Registry Item**
-4.  In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and &gt; **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer.
+  :::image type="content" source="images/localaccounts-proc1-sample4.png" alt-text="local accounts":::
-  ![local accounts 2.](images/localaccounts-proc1-sample2.png)
+  - In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**
  - Ensure that the **Hive** box is set to **HKEY_LOCAL_MACHINE**
  - Select (**…**), browse to the following location for **Key Path** &gt; **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`
  - In the **Value name** area, type `LocalAccountTokenFilterPolicy`
  - In the **Value type** box, from the drop-down list, select **REG_DWORD** to change the value
  - In the **Value data** box, ensure that the value is set to **0**
  - Verify this configuration, and &gt; **OK**
-5.  In the details pane, right-click &lt;**gpo\_name**&gt;, and &gt; **Edit**.
+  :::image type="content" source="images/localaccounts-proc1-sample5.png" alt-text="local accounts":::
-  ![local accounts 3.](images/localaccounts-proc1-sample3.png)
+1. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following:
-6.  Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps:
+  - Navigate to the `*Forest*\<Domains>\*Domain*\*OU*` path
  - Right-click the **Workstations > Link an existing GPO**
-  1.  Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and &gt; **Security Options**.
+  :::image type="content" source="images/localaccounts-proc1-sample6.png" alt-text="local accounts":::
-  2.  Double-click **User Account Control: Run all administrators in Admin Approval Mode** &gt; **Enabled** &gt; **OK**.
+  - Select the GPO that you created, and &gt; **OK**
  3.  Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** &gt; **Enabled** &gt; **OK**.
 7.  Ensure that the local account restrictions are applied to network interfaces by following these steps:
  1.  Navigate to Computer Configuration\\Preferences and Windows Settings, and &gt; **Registry**.
  2.  Right-click **Registry**, and &gt; **New** &gt; **Registry Item**.
    ![local accounts 4.](images/localaccounts-proc1-sample4.png)
  3.  In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**.
  4.  Ensure that the **Hive** box is set to **HKEY\_LOCAL\_MACHINE**.
  5.  Select (**…**), browse to the following location for **Key Path** &gt; **Select** for: **SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**.
  6.  In the **Value name** area, type **LocalAccountTokenFilterPolicy**.
  7.  In the **Value type** box, from the drop-down list, select **REG\_DWORD** to change the value.
  8.  In the **Value data** box, ensure that the value is set to **0**.
  9.  Verify this configuration, and &gt; **OK**.
    ![local accounts 5.](images/localaccounts-proc1-sample5.png)
 8.  Link the GPO to the first **Workstations** organizational unit (OU) by doing the following:
  1.  Navigate to the &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;\\OU path.
  2.  Right-click the **Workstations** OU, and &gt; **Link an existing GPO**.
    ![local accounts 6.](images/localaccounts-proc1-sample6.png)
  3.  Select the GPO that you created, and &gt; **OK**.
 9.  Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy.
 10. Create links to all other OUs that contain workstations.
 11. Create links to all other OUs that contain servers.
 1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
 1. Create links to all other OUs that contain workstations
 1. Create links to all other OUs that contain servers
 ### <a href="" id="sec-deny-network-logon"></a>Deny network logon to all local Administrator accounts
 Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that stolen credentials for local accounts from a compromised operating system can't be used to compromise other computers that use the same credentials.
@ -325,8 +304,6 @@ Denying local accounts the ability to perform network logons can help prevent a
 > [!NOTE]
 > To perform this procedure, you must first identify the name of the local, default Administrator account, which might not be the default user name "Administrator", and any other accounts that are members of the local Administrators group.
 The following table shows the Group Policy settings that are used to deny network logon for all local Administrator accounts.
 |No.|Setting|Detailed Description|
@ -341,12 +318,16 @@ The following table shows the Group Policy settings that are used to deny networ
 #### To deny network logon to all local administrator accounts
 1. Start the **Group Policy Management** Console (GPMC)
-1. In the console tree, expand &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO).
+1. In the console tree, expand &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO)
-1. In the console tree, right-click **Group Policy Objects**, and &gt; **New**.
+1. In the console tree, right-click **Group Policy Objects**, and &gt; **New**
 1. In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and then &gt; **OK** where *gpo\_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer
  ![local accounts 7.](images/localaccounts-proc2-sample1.png)
 1. In the details pane, right-click &lt;**gpo\_name**&gt;, and &gt; **Edit**
  ![local accounts 8.](images/localaccounts-proc2-sample2.png)
 1. Configure the user rights to deny network logons for administrative local accounts as follows:
 1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\, and &gt; **User Rights Assignment**
 1. Double-click **Deny access to this computer from the network**
@ -356,15 +337,17 @@ The following table shows the Group Policy settings that are used to deny networ
 1. Double-click **Deny log on through Remote Desktop Services**
 1. Select **Add User or Group**, type **Local account and member of Administrators group**, and &gt; **OK**
 1. Link the GPO to the first **Workstations** OU as follows:
  - Navigate to the &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;\\OU path
  - Right-click the **Workstations** OU, and &gt; **Link an existing GPO**
  - Select the GPO that you created, and &gt; **OK**
 1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy.
 1. Create links to all other OUs that contain workstations.
 1. Create links to all other OUs that contain servers.
-  > [!NOTE]
+1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
-  > You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers.
+1. Create links to all other OUs that contain workstations
 1. Create links to all other OUs that contain servers
 > [!NOTE]
 > You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers.
 ### Create unique passwords for local accounts with administrative rights