basic stuff

Scheduled Task/Job
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.
----------------------------------------------

Deny network logon to all local Administrator accounts
Note-To perform this procedure, you must first identify the name of the local, default Administrator account, which might not be the default user name "Administrator", and any other accounts that are members of the local Administrators group.

The following table shows the Group Policy settings that are used to deny network logon for all local Administrator accounts.

No.	Setting		Detailed Description
        Policy location	Computer Configuration\Windows Settings\Security Settings\Local 				Policies\User Rights Assignment
1	Policy name	Deny access to this computer from the network
	Policy setting	Local account and member of Administrators group
2	Policy location	Computer Configuration\Windows Settings\Security Settings\Local 				Policies\User Rights Assignment
	Policy name	Deny log on through Remote Desktop Services
	Policy setting	Local account and member of Administrators group

-To deny network logon to all local administrator accounts
1. Start the Group Policy Management Console (GPMC)
2. In the console tree, expand <Forest>\Domains\<Domain>, and then Group Policy Objects, where forest is the name of the forest, and domain is the name of the domain where you want to set the Group Policy Object (GPO)
3. In the console tree, right-click Group Policy Objects, and > New
4. In the New GPO dialog box, type <gpo_name>, and then > OK where gpo_name is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer
5. In the details pane, right-click <gpo_name>, and > Edit
6. Configure the user rights to deny network logons for administrative local accounts as follows:
7. Navigate to the Computer Configuration\Windows Settings\Security Settings\, and > User Rights Assignment
8. Double-click Deny access to this computer from the network
9. Select Add User or Group, type Local account and member of Administrators group, and > OK
10. Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local accounts as follows:
11. Navigate to Computer Configuration\Policies\Windows Settings and Local Policies, and then select User Rights Assignment
12. Double-click Deny log on through Remote Desktop Services
13. Select Add User or Group, type Local account and member of Administrators group, and > OK14. 
14. Link the GPO to the first Workstations OU as follows:
*Navigate to the <Forest>\Domains\<Domain>\OU path
*Right-click the Workstations OU, and > Link an existing GPO
*Select the GPO that you created, and > OK
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
2. Create links to all other OUs that contain workstations
3. Create links to all other OUs that contain servers

To establish the recommended configuration via GP, set the following UI path to include Guests, Local account:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on through Remote Desktop Services
---------------------------------------------------