How to Set Up Active Directory Tiered Administration Model on Windows Server 2019

Introduction to Active Directory Tiered Administration

The Active Directory Tiered Administration Model is a security architecture published by Microsoft that segregates administrative accounts into three tiers to contain the spread of compromised credentials. The fundamental insight is that a compromised workstation admin account should never be able to escalate to domain controller access, and the model enforces this through a combination of OU structure, Group Policy, Protected Users security group, and Authentication Policies. Windows Server 2019 provides all the native mechanisms to implement the full model.

The Three Tiers Defined

Tier 0 is the most privileged layer and contains objects that control all other identity: domain controllers, Azure AD Connect servers, AD FS servers, ADCS servers, privileged access workstations used by Tier 0 admins, and the administrative accounts to manage them. Tier 1 contains servers and applications: member servers, enterprise applications, database servers, and the admin accounts that manage them. Tier 2 contains user workstations and the helpdesk accounts that manage them. No account from a lower tier should be able to authenticate to a higher tier, and no admin should perform their daily user tasks from a privileged account.

Step 1: Design the OU Structure

# Create the top-level Admin OU structure
$base = 'DC=corp,DC=local'

$ouList = @(
    'OU=Tier 0,OU=Admin',
    'OU=Tier 1,OU=Admin',
    'OU=Tier 2,OU=Admin',
    'OU=Accounts,OU=Tier 0,OU=Admin',
    'OU=Groups,OU=Tier 0,OU=Admin',
    'OU=Accounts,OU=Tier 1,OU=Admin',
    'OU=Groups,OU=Tier 1,OU=Admin',
    'OU=Accounts,OU=Tier 2,OU=Admin',
    'OU=Groups,OU=Tier 2,OU=Admin',
    'OU=Admin'
)

# Create in reverse order to create parents first
New-ADOrganizationalUnit -Name 'Admin' -Path $base -ProtectedFromAccidentalDeletion $true
New-ADOrganizationalUnit -Name 'Tier 0' -Path "OU=Admin,$base" -ProtectedFromAccidentalDeletion $true
New-ADOrganizationalUnit -Name 'Tier 1' -Path "OU=Admin,$base" -ProtectedFromAccidentalDeletion $true
New-ADOrganizationalUnit -Name 'Tier 2' -Path "OU=Admin,$base" -ProtectedFromAccidentalDeletion $true

foreach ($tier in @('Tier 0','Tier 1','Tier 2')) {
    New-ADOrganizationalUnit -Name 'Accounts' -Path "OU=$tier,OU=Admin,$base"
    New-ADOrganizationalUnit -Name 'Groups'   -Path "OU=$tier,OU=Admin,$base"
    New-ADOrganizationalUnit -Name 'PAW'      -Path "OU=$tier,OU=Admin,$base"
}

Step 2: Create Tiered Administrative Accounts

Each administrator needs separate accounts per tier. A domain admin’s daily user account (for email and browsing) is a standard Tier 2 account. Their server management account is Tier 1. Their DC management account is Tier 0. These accounts should never share passwords.

# Create a Tier 0 admin account for a domain admin
$t0Pass = ConvertTo-SecureString 'Compl3xT0Pa$$word!' -AsPlainText -Force
New-ADUser -SamAccountName 'adm-t0-jsmith' `
    -UserPrincipalName '[email protected]' `
    -Name 'T0-JSmith Admin' `
    -GivenName 'John' -Surname 'Smith T0' `
    -AccountPassword $t0Pass `
    -PasswordNeverExpires $false `
    -ChangePasswordAtLogon $false `
    -Enabled $true `
    -Path 'OU=Accounts,OU=Tier 0,OU=Admin,DC=corp,DC=local' `
    -Description 'Tier 0 admin account for jsmith - DC and PKI management only'

# Create a Tier 1 admin account
$t1Pass = ConvertTo-SecureString 'Compl3xT1Pa$$word!' -AsPlainText -Force
New-ADUser -SamAccountName 'adm-t1-jsmith' `
    -UserPrincipalName '[email protected]' `
    -Name 'T1-JSmith Admin' `
    -AccountPassword $t1Pass `
    -Enabled $true `
    -Path 'OU=Accounts,OU=Tier 1,OU=Admin,DC=corp,DC=local' `
    -Description 'Tier 1 admin account for jsmith - member server management only'

# Add T0 account to Domain Admins (Tier 0 only)
Add-ADGroupMember -Identity 'Domain Admins' -Members 'adm-t0-jsmith'

Step 3: Add Tier 0 Accounts to Protected Users Group

The Protected Users security group enforces strong authentication protections including disabling NTLM, CredSSP, WDigest authentication, and enforcing Kerberos AES encryption with short ticket lifetimes. All Tier 0 accounts must be members:

# Add Tier 0 admin accounts to Protected Users
Add-ADGroupMember -Identity 'Protected Users' -Members 'adm-t0-jsmith', 'adm-t0-mwilson'

# Verify Protected Users membership
Get-ADGroupMember -Identity 'Protected Users' | Select-Object Name, SamAccountName

# Protected Users effects:
# - Cannot use NTLM (Kerberos only)
# - No Kerberos DES or RC4 encryption (AES only)
# - No CredSSP or WDigest credential caching
# - TGT lifetime limited to 4 hours (cannot be renewed past 4 hours)
# - No delegation (cannot be configured for Kerberos delegation)

# Verify Kerberos AES is available on all DCs
Get-ADDomainController -Filter * | ForEach-Object {
    Get-ADComputer $_.Name -Properties msDS-SupportedEncryptionTypes |
        Select-Object Name, 'msDS-SupportedEncryptionTypes'
}

Step 4: Authentication Policies to Enforce Tier Boundaries

Authentication Policies (Windows Server 2012 R2 DC functional level required) enforce which computers a user can sign in to, implementing the tier boundary at the Kerberos level:

# Require Windows Server 2012 R2+ DFL
Get-ADDomain | Select-Object DomainMode

# Create an Authentication Policy Silo for Tier 0
New-ADAuthenticationPolicySilo -Name 'Tier0Silo' `
    -Description 'Restricts Tier 0 accounts to PAW computers only' `
    -Enforce $true `
    -UserAuthenticationPolicy 'Tier0UserPolicy' `
    -ComputerAuthenticationPolicy 'Tier0ComputerPolicy' `
    -ServiceAuthenticationPolicy 'Tier0ServicePolicy'

# Create Authentication Policy for Tier 0 users
# Condition: logon only from computers in Tier 0 PAW group
New-ADAuthenticationPolicy -Name 'Tier0UserPolicy' `
    -Description 'Tier 0 users can only logon from Tier 0 PAW computers' `
    -UserAllowedToAuthenticateTo 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Tier0Silo"))' `
    -Enforce $true

# Assign Tier 0 accounts to the silo
Grant-ADAuthenticationPolicySiloAccess -Identity 'Tier0Silo' -Account 'adm-t0-jsmith'
Set-ADUser -Identity 'adm-t0-jsmith' -AuthenticationPolicySilo 'Tier0Silo'

# Assign PAW computers to the silo
Grant-ADAuthenticationPolicySiloAccess -Identity 'Tier0Silo' -Account 'PAW-T0-01$'
Set-ADComputer -Identity 'PAW-T0-01' -AuthenticationPolicySilo 'Tier0Silo'

Step 5: Group Policy to Block Tier 0 Logon at Workstations

Use Deny Logon locally and Deny Logon through Remote Desktop policies to prevent tier 0 accounts from being used on non-PAW machines:

# Create GPO to deny Tier 0 admin logon on Tier 1 and Tier 2 computers
$gpo = New-GPO -Name 'Deny T0 Accounts on Non-PAW Computers'
New-GPLink -Name 'Deny T0 Accounts on Non-PAW Computers' `
    -Target 'OU=Tier 1,OU=Admin,DC=corp,DC=local'
New-GPLink -Name 'Deny T0 Accounts on Non-PAW Computers' `
    -Target 'OU=Corp,DC=corp,DC=local'

# Configure via GPMC UI or registry:
# Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
# Deny log on locally: add Tier0-AdminAccounts group
# Deny log on through Remote Desktop Services: add Tier0-AdminAccounts group
# Deny access to this computer from the network: add Tier0-AdminAccounts group

# Verify with Group Policy Results
Get-GPResultantSetOfPolicy -Computer 'WORKSTATION01' -ReportType HTML `
    -Path 'C:ReportsGPResult_Workstation01.html'

Step 6: Privileged Access Workstations (PAW)

Tier 0 admins should only manage DCs from a dedicated hardened PAW. Configure the PAW GPO:

# PAW hardening via GPO (key settings):
# Enable Credential Guard
# Computer Configuration > Administrative Templates > System > Device Guard
# Turn On Virtualization Based Security = Enabled
# Select Platform Security Level = Secure Boot and DMA Protection
# Credential Guard Configuration = Enabled with UEFI lock

# Block internet access from PAW (via firewall rules)
New-NetFirewallRule -DisplayName 'Block HTTP from PAW' -Direction Outbound `
    -Protocol TCP -RemotePort 80 -Action Block -Profile Domain
New-NetFirewallRule -DisplayName 'Block HTTPS from PAW' -Direction Outbound `
    -Protocol TCP -RemotePort 443 -Action Block -Profile Domain `
    -RemoteAddress '0.0.0.0-172.16.255.255'  # Allow only internal HTTPS

# Enable AppLocker to whitelist only admin tools
# Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker

# Enable Windows Defender Credential Guard via PowerShell
$lsaDrivePath = 'HKLM:SYSTEMCurrentControlSetControlDeviceGuard'
Set-ItemProperty $lsaDrivePath -Name 'EnableVirtualizationBasedSecurity' -Value 1
Set-ItemProperty $lsaDrivePath -Name 'RequirePlatformSecurityFeatures' -Value 3
Set-ItemProperty $lsaDrivePath -Name 'LsaCfgFlags' -Value 1

Monitoring Tier Boundary Violations

# Monitor for Tier 0 account logons on non-PAW computers
# Event ID 4624 (Logon) with Tier 0 account SamAccountName on non-Tier 0 machine
$t0Accounts = (Get-ADGroupMember -Identity 'Tier0-AdminAccounts').SamAccountName

Get-WinEvent -ComputerName $domainControllers -FilterHashtable @{
    LogName   = 'Security'
    Id        = 4624
    StartTime = (Get-Date).AddHours(-24)
} | Where-Object {
    $msg = $_.Properties | ForEach-Object { $_.Value }
    $t0Accounts | Where-Object { $msg -contains $_ }
} | Select-Object TimeCreated, Message

# Create a scheduled task to alert on violations
# Event ID 4625 (Failed Logon) for Tier 0 accounts outside PAW also warrants investigation

Conclusion

The Active Directory Tiered Administration Model on Windows Server 2019 uses a combination of OU segmentation, Protected Users group enforcement, Authentication Policy Silos, and GPO restrictions to enforce strict boundaries between administrative tiers. Implementing this model dramatically reduces the blast radius of any single credential compromise, ensuring that a stolen Tier 2 helpdesk account cannot be leveraged to compromise domain controllers or enterprise services.