Reading Time: 6 minutes

Last week I watched a junior admin reset a domain admin password from his regular workstation. The same machine he uses to check email, click sketchy DocuSign links, and play Solitaire on lunch. I didnt yell. I just stared at the screen, took a breath, and decided to build a tiered AD model before someone hands the whole domain to a phishing email.

If your AD is flat, this one’s for you. If your domain admins log into print servers, also you. And if you’ve got one giant Admins group that does everything, oh boy, especially you. Here’s the whole thing, tier by tier, and it stops the bleeding.

What a tiered AD model actually is

Microsoft’s tier model splits your admin identities into three trust levels based on what they control. The whole point is containment. An attacker who owns a workstation should never be able to climb from there up to your domain controllers.

  • Tier 0 is the identity control plane. Domain controllers, AD CS, AD FS, Entra Connect, and the accounts that run them.
  • Tier 1 is every other server. File servers, SQL, Exchange, your line-of-business apps.
  • Tier 2 is workstations and the people who support them. Help desk, desktop support, end-user devices.
Diagram comparing the scope of control for Tier 0, Tier 1, and Tier 2 administrators
The three tiers and what each one controls. Source: Microsoft Learn.

The rule that makes it work is simple. Credentials never move down. A Tier 0 account never signs into a Tier 1 or Tier 2 box. A Tier 1 account never touches a workstation. Break that rule once and the whole model falls over.

The OU structure

Start with three top-level OUs, one per tier. Under each, split admin accounts, groups, and the machines that belong to that tier.

  • Tier 0 holds your domain controllers, Tier 0 admin accounts, and Tier 0 groups.
  • Tier 1 holds member servers, server admin accounts, and server admin groups.
  • Tier 2 holds workstations, help desk accounts, and workstation admin groups.

Your regular user accounts and department OUs sit off to the side in their own structure. Those are just people doing their jobs, not admins of anything.

The security groups

Every tier gets its own security group. Prefix them so nobody has to guess what they do. I use sg- for security group, then the tier, then the role.

  • sg-Tier0-Admins, full control over AD and domain controllers
  • sg-Tier1-ServerAdmins, local admin on member servers
  • sg-Tier2-WorkstationAdmins, local admin on workstations
  • sg-Tier2-HelpDesk, workstation support plus delegated password reset

Those groups get pushed to the local Administrators group on the right machines through Group Policy or Restricted Groups. A member server trusts sg-Tier1-ServerAdmins and nothing else. A workstation trusts sg-Tier2-WorkstationAdmins. Domain controllers trust only Tier 0.

Roles and how many accounts each person carries

This is where people groan, because it means carrying more than one login. Good. That groan is the sound of security working. Here’s how the accounts break down by role.

The System Administrator: four accounts

Your full-stack sysadmin touches everything, so they need a foot in every tier plus a normal life.

  • A normal account for email, Teams, and daily work
  • t0-jsmith in sg-Tier0-Admins for domain controller work
  • t1-jsmith in sg-Tier1-ServerAdmins for servers
  • t2-jsmith in sg-Tier2-WorkstationAdmins for workstations

Four accounts, four scopes. The domain admin credential never rides along on the same machine where they read email.

The Server Admin: three accounts

Your server team doesnt need the keys to Active Directory. They manage servers and the workstations they sometimes sit at.

  • A normal account for daily work
  • t1-account in sg-Tier1-ServerAdmins for servers
  • t2-account in sg-Tier2-WorkstationAdmins for workstations

Notice the missing Tier 0 account. That’s on purpose. A server admin who gets phished cant hand an attacker the domain, because that person was never holding it.

The Help Desk: two accounts and a delegation

Help desk lives in Tier 2. They fix laptops and reset passwords, nothing deeper.

  • A normal account for daily work
  • t2-account in sg-Tier2-HelpDesk for workstation support

The password reset piece isnt a tier privilege. It’s a delegation. In Active Directory Users and Computers, right-click each department’s user OU, choose Delegate Control, add sg-Tier2-HelpDesk, and grant “Reset user passwords and force password change at next logon.” Scope it to the department OUs they actually support, not the whole domain. Help desk can unlock the sales team without ever seeing a server.

The part that makes it real: cross-tier logon deny GPOs

Groups without GPOs are just labels on a whiteboard. The enforcement comes from Group Policy denying higher-tier accounts the right to log into lower-tier machines. Without this step, nothing actually stops a Tier 0 account from signing into a workstation.

You build three deny policies, each linked to the OU one tier down. Every policy sets these User Rights Assignments under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies:

  • Deny log on locally
  • Deny log on through Remote Desktop Services
  • Deny log on as a batch job
  • Deny log on as a service
  • Deny access to this computer from the network

Link the first policy to your Tier 1 and Tier 2 OUs, denying the Tier 0 groups. Link the second to Tier 2, denying Tier 1 groups. The result is a one-way street. Credentials flow up when you deliberately elevate, never down by accident.

One warning. Test these against a pilot OU before you link them broadly. A deny right applied to the wrong group can lock real admins out of real machines, and that’s a bad afternoon.

Why this setup is worth the extra logins

Attackers rarely land on a domain controller first. They land on a workstation, through a phished user or a bad download. From there they hunt for credentials sitting in memory, then hop machine to machine until they find a domain admin token. Security folks call this lateral movement, and it’s how most ransomware actually spreads.

Diagram of the cyber attack kill chain: infiltration, reconnaissance, lateral movement, persistence, data access, and exfiltration
The kill chain the tier model is built to break. Source: Microsoft Learn.

Build a tiered AD model and you cut that chain. If a Tier 0 credential never touches a workstation, then owning the workstation gets an attacker nothing but the workstation. The domain admin token they were hunting for simply isnt there to steal. You shrink the blast radius of every single compromise.

The other half of this is the clean keyboard. Microsoft calls them privileged access workstations, PAWs. The idea is that Tier 0 work happens from a hardened machine that never browses the web or reads email. Trust starts at the physical keyboard you sign in from, not the server you’re reaching for.

Diagram of six supported access paths from a privileged access workstation to a Tier 0 server
Supported paths from a clean PAW up to a Tier 0 server. Source: Microsoft Learn.

Putting it together

Three tiers, three OUs, four sg- groups, and three deny-logon GPOs. Give your system admin four accounts, your server admins three, and your help desk two plus a scoped password reset delegation. Test the deny rights on a pilot before you go wide. That’s the whole model, and it turns a single compromised laptop from a company-ending event into a Tuesday.

What can we learn as a person

The thing that stuck with me building this is that the whole model runs on one boundary. Credentials dont move down. That’s it. Everything else is just enforcement of that one line.

I think about how much of my own stress used to come from having no tiers at all. Work stress logged straight into my home life. A bad day with one friend leaked into how I treated my kids. One compromised area, and the attacker moved laterally through everything I had, because I never denied the logon. I was one giant Admins group that did everything, and every problem had domain rights over my whole self.

Tiering my life didnt mean caring less. It meant the hard server day stays on the server, and doesnt get to sign into the parts of me that were supposed to be off-limits. So what in your life is running flat right now? And where do you need a deny-logon rule so one bad thing stops taking down all the others?

Further reading