Configuring Active Directory Tiered Model

What Is This

The "Configuring Active Directory Tiered Model" skill focuses on implementing Microsoft’s Enhanced Security Admin Environment (ESAE) tiered administration model within Active Directory (AD). This model is designed to create distinct security boundaries by separating administrative tasks and accounts into hierarchical tiers (Tier 0, Tier 1, and Tier 2). The skill covers core ESAE concepts such as tier separation, privileged access workstations (PAWs), administrative forest design, authentication policy silos, and credential theft mitigation. The objective is to reduce the risk of privilege escalation and to protect high-value assets by enforcing strict controls over administrative access and workflows.

Why Use It

Traditional Active Directory environments often suffer from flat administrative structures where a single compromised credential can lead to the compromise of the entire domain. The ESAE tiered model addresses this risk by segmenting administrative rights and machines into clear boundaries:

• Tier 0 contains the most privileged accounts and assets (e.g., domain controllers, AD schema admins)
• Tier 1 includes servers and applications (e.g., file servers, application servers)
• Tier 2 covers user workstations and less privileged assets

By implementing this model, organizations can:

• Limit the lateral movement of attackers by restricting where credentials can be used
• Enhance compliance with frameworks such as NIST CSF (notably PR.AA-01, PR.AA-02, PR.AA-05, PR.AA-06)
• Reduce the attack surface and minimize the impact of compromised accounts
• Achieve a more robust and auditable security posture

How to Use It

The implementation of the Active Directory tiered model involves several key steps:

1. Define and Document

Tiers

Start by mapping out your environment:

• Tier 0: Domain controllers, AD forest and domain admins, PKI infrastructure, and other critical identity infrastructure
• Tier 1: Servers and services managed by IT operations (excluding Tier 0 assets)
• Tier 2: End-user devices such as workstations and laptops

Document which accounts, groups, devices, and services belong to each tier.

2. Segregate Administrative

Accounts

Each administrator must have separate credentials per tier. For instance, an administrator will have:

• A Tier 0 account (for domain controllers)
• A Tier 1 account (for managing servers)
• A Tier 2 account (for helpdesk or workstation support)

Example PowerShell script to create tiered admin accounts:

## Example:

Creating a Tier 0 admin account
New-ADUser -Name "Admin0.JSmith" -SamAccountName "Admin0.JSmith" -Path "OU=Tier0Admins,DC=contoso,DC=com" -AccountPassword (ConvertTo-SecureString "ComplexPassword!" -AsPlainText -Force) -Enabled $true

3. Restrict Account Usage by

Tier

Accounts from a higher tier should never be used to log into systems of a lower tier. Enforce this using Group Policy Objects (GPOs) and restricted admin workstations.

Example: GPO to deny logon for Tier 0 accounts on Tier 1/2 assets

• Create a security group for Tier 0 admins
• In the GPO for Tier 1/2 devices, set the "Deny log on locally" and "Deny log on through Remote Desktop Services" policies to include the Tier 0 admin group

4. Deploy Privileged Access

Workstations (PAWs)

PAWs are hardened systems dedicated exclusively to privileged operations. Tier 0 admins should only use PAWs for managing Tier 0 assets.

• Deploy Windows 10/11 with security baselines applied
• Remove unnecessary software and access to internet/email

Example: Assigning PAWs to Tier 0 admins using Active Directory:

Add-ADGroupMember -Identity "Tier0PAWUsers" -Members "Admin0.JSmith"

5. Implement Authentication Policy

Silos

Authentication policy silos restrict which accounts can sign in to which computers, further enforcing tier separation.

Example PowerShell snippet:

## Create an authentication policy silo for Tier 0
New-ADAuthenticationPolicySilo -Name "Tier0Silo" -UserAccounts "Admin0.JSmith" -ComputerAccounts "DC01","DC02"

6. Monitor and

Audit

Enable auditing for logon events, account usage, and policy changes. Use Security Information and Event Management (SIEM) tools for continuous monitoring.

## Example:

Enable auditing for logon events
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable

7. Administrative Forest

Design (Optional)

For environments requiring the highest security, consider deploying an administrative forest dedicated to Tier 0 operations.

When to Use It

Apply this skill when:

• Deploying or redesigning Active Directory to align with modern security best practices
• Responding to audit or compliance requirements for privileged access management
• Conducting risk assessments or penetration tests that reveal excessive privilege or flat admin structures
• Preparing for zero trust initiatives or advanced threat protection deployments

Important Notes

• Always begin implementation in a test or lab environment to validate configurations before production deployment
• Ensure all staff understand the operational changes and provide training on the new tiered model workflows
• Regularly review and update tier assignments as business needs and infrastructure evolve
• Properly maintain and secure PAWs to prevent them from becoming attack vectors
• The success of the ESAE model depends on strict adherence to separation principles and ongoing monitoring

By mastering the configuration of the Active Directory tiered model, organizations can dramatically increase the resilience of their identity infrastructure against advanced threats and credential theft.