diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index ae3cbe8e26..f4a2c31d2b 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -94,15 +94,11 @@ In comparison, on the Windows client operating system, a user with a local user
 
 In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)).
 
-**Note**  
-Blank passwords are not allowed in the versions designated in the **Applies To** list at the beginning of this topic.
-
- 
-
-**Important**  
-Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled.
-
- 
+> [!IMPORTANT]
+> 
+> - Blank passwords are not allowed in the versions designated in the **Applies To** list at the beginning of this topic.
+>
+> - Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled. 
 
 ### <a href="" id="sec-guest"></a>Guest account
 
@@ -141,11 +137,11 @@ For details about the HelpAssistant account attributes, see the following table.
 
 |Attribute|Value|
 |--- |--- |
-|Well-Known SID/RID|S-1-5-&lt;domain&gt;-13 (Terminal Server User), S-1-5-&lt;domain&gt;-14 (Remote Interactive Logon)|
+|Well-Known SID/RID|`S-1-5-<domain>-13 (Terminal Server User), S-1-5-<domain>-14 (Remote Interactive Logon)`|
 |Type|User|
-|Default container|CN=Users, DC=&lt;domain&gt;, DC=|
+|Default container|`CN=Users, DC=<domain>, DC=`|
 |Default members|None|
-|Default member of|Domain Guests&lt;p&gt;Guests|
+|Default member of|Domain Guests<br/><br/>Guests|
 |Protected by ADMINSDHOLDER?|No|
 |Safe to move out of default container?|Can be moved out, but we do not recommend it.|
 |Safe to delegate management of this group to non-Service admins?|No|
@@ -195,8 +191,8 @@ The SYSTEM account is used by the operating system and by services that run unde
 
 On the other hand, the SYSTEM account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the SYSTEM account is granted Full Control permissions to all files on an NTFS volume. Here the SYSTEM account has the same functional rights and permissions as the Administrator account.
 
-**Note**  
-To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them.
+> [!NOTE]
+> To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them.
 
 ### NETWORK SERVICE 
 The NETWORK SERVICE account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](/windows/desktop/services/networkservice-account).
@@ -213,8 +209,8 @@ You can use Local Users and Groups to assign rights and permissions on the local
 
 You cannot use Local Users and Groups on a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers that are not domain controllers on the network.
 
-**Note**  
-You use Active Directory Users and Computers to manage users and groups in Active Directory.
+> [!NOTE]
+> You use Active Directory Users and Computers to manage users and groups in Active Directory.
 
 You can also manage local users by using NET.EXE USER and manage local groups by using NET.EXE LOCALGROUP, or by using a variety of PowerShell cmdlets and other scripting technologies.
 
@@ -234,8 +230,8 @@ The other approaches that can be used to restrict and protect user accounts with
 
 Each of these approaches is described in the following sections.
 
-**Note**  
-These approaches do not apply if all administrative local accounts are disabled.
+> [!NOTE]
+> These approaches do not apply if all administrative local accounts are disabled.
 
  
 
@@ -266,11 +262,11 @@ The following table shows the Group Policy and registry settings that are used t
 ||Registry value type|DWORD|
 ||Registry value data|0|
 
->[!NOTE]
->You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates. 
+> [!NOTE]
+> You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates. 
  
 
-**To enforce local account restrictions for remote access**
+#### To enforce local account restrictions for remote access
 
 1.  Start the **Group Policy Management** Console (GPMC).
 
@@ -340,8 +336,8 @@ The following table shows the Group Policy and registry settings that are used t
 
 Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that the credentials for local accounts that are stolen from a compromised operating system cannot be used to compromise additional computers that use the same credentials.
 
-**Note**  
-In order to perform this procedure, you must first identify the name of the local, default Administrator account, which might not be the default user name "Administrator", and any other accounts that are members of the local Administrators group.
+> [!NOTE]
+> To perform this procedure, you must first identify the name of the local, default Administrator account, which might not be the default user name "Administrator", and any other accounts that are members of the local Administrators group.
 
  
 
@@ -356,7 +352,7 @@ The following table shows the Group Policy settings that are used to deny networ
 ||Policy name|[Deny log on through Remote Desktop Services](/windows/device-security/security-policy-settings/deny-log-on-through-remote-desktop-services)|
 ||Policy setting|Local account and member of Administrators group|
 
-**To deny network logon to all local administrator accounts**
+#### To deny network logon to all local administrator accounts
 
 1.  Start the **Group Policy Management** Console (GPMC).
 
@@ -402,8 +398,8 @@ The following table shows the Group Policy settings that are used to deny networ
 
 11. Create links to all other OUs that contain servers.
 
-    **Note**  
-    You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers.
+    > [!NOTE]
+    > You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers.
 
 
 ### <a href="" id="sec-create-unique-passwords"></a>Create unique passwords for local accounts with administrative rights
@@ -429,4 +425,4 @@ The following resources provide additional information about technologies that a
 
 -   [Security Identifiers](security-identifiers.md)
 
--   [Access Control Overview](access-control.md)
\ No newline at end of file
+-   [Access Control Overview](access-control.md)
