How to Set Up Active Directory Tiered Administration on Windows Server 2016

Introduction

The Active Directory Tiered Administration Model on Windows Server 2016 divides admin privileges into Tier 0 (AD/DC infrastructure), Tier 1 (member servers), and Tier 2 (workstations). Keeping admin credentials separate at each tier prevents a compromised helpdesk account from pivoting to domain admin, drastically reducing breach impact.

Creating the Tier OU Structure

Build an OU hierarchy to house each tier’s admin accounts and groups:

foreach ($t in @('Tier0','Tier1','Tier2')) {
    New-ADOrganizationalUnit -Name $t -Path 'OU=Admin,DC=contoso,DC=com'
    foreach ($s in @('Accounts','Groups','ServiceAccounts')) {
        New-ADOrganizationalUnit -Name $s -Path "OU=$t,OU=Admin,DC=contoso,DC=com"
    }
}

Creating Tier Admin Accounts

Each administrator gets a separate account for each tier they manage:

New-ADUser -Name 'T0-JSmith' -SamAccountName 't0-jsmith' `
    -Path 'OU=Accounts,OU=Tier0,OU=Admin,DC=contoso,DC=com' `
    -AccountPassword (ConvertTo-SecureString 'Pa$$T0x!' -AsPlainText -Force) -Enabled $true

New-ADUser -Name 'T1-JSmith' -SamAccountName 't1-jsmith' `
    -Path 'OU=Accounts,OU=Tier1,OU=Admin,DC=contoso,DC=com' `
    -AccountPassword (ConvertTo-SecureString 'Pa$$T1x!' -AsPlainText -Force) -Enabled $true

Logon Restrictions via Group Policy

Configure GPO to deny Tier 0 accounts from logging on to Tier 1/2 systems. In Group Policy Management Console, edit the Tier 1 servers GPO: Computer Configuration > Security Settings > Local Policies > User Rights Assignment. Add Tier0-Admins to “Deny log on locally” and “Deny log on through Remote Desktop Services”.

Privileged Access Workstations

Create dedicated PAWs for Tier 0 administration to prevent credential exposure:

New-ADComputer -Name 'PAW-T0-01' -Path 'OU=PAW,OU=Tier0,OU=Admin,DC=contoso,DC=com'
$gpo = New-GPO -Name 'Tier0-PAW-Hardening'
New-GPLink -Name 'Tier0-PAW-Hardening' -Target 'OU=PAW,OU=Tier0,OU=Admin,DC=contoso,DC=com'
# GPO should block internet, enforce Credential Guard, disable USB storage

Auditing Admin Account Usage

Monitor for misuse of tier accounts across systems:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 100 |
    Where-Object { $_.Message -like '*t0-*' -or $_.Message -like '*t1-*' } |
    Select-Object TimeCreated,@{N='Account';E={$_.Properties[5].Value}},
                  @{N='LogonType';E={$_.Properties[8].Value}},
                  @{N='WorkstationName';E={$_.Properties[11].Value}}

Summary

The AD Tiered Administration Model is the most effective architectural control for protecting Active Directory on Windows Server 2016. Separating admin accounts, enforcing logon restrictions, and requiring PAWs for Tier 0 work creates layered barriers that prevent credential theft from cascading into a complete domain compromise.