How to Set Up Active Directory Tiered Administration on Windows Server 2012 R2

How to Set Up Active Directory Tiered Administration on Windows Server 2012 R2

The Microsoft Active Directory Tiered Administration model is a security architecture that separates administrative accounts and systems into three tiers to prevent credential theft attacks from escalating across the entire environment. Tier 0 contains the most critical assets — Domain Controllers, PKI servers, and AD FS — and is managed only by Tier 0 administrators. Tier 1 contains member servers and is managed by Tier 1 admins who have no rights in Tier 0. Tier 2 contains workstations, managed by Tier 2 admins with no server rights. This guide implements the tiered model on Windows Server 2012 R2 using Group Policy, authentication policies, and Active Directory design.

Prerequisites

– Windows Server 2012 R2 Active Directory domain
– Domain and Forest Functional Level at Windows Server 2012 R2 (for Authentication Policies)
– Administrative Tier 0 credentials during setup
– Understanding of existing administrative accounts and their current privileges
– PowerShell 4.0 with ActiveDirectory module

Step 1: Design the Tier OU Structure

Create a dedicated OU structure under which tier-specific objects are managed. This structure is the foundation of the entire model:

Import-Module ActiveDirectory
$domain = (Get-ADDomain).DistinguishedName

# Create the Admin hierarchy
$tierOUs = @(
    "OU=Admin,$domain",
    "OU=Tier0,OU=Admin,$domain",
    "OU=Tier1,OU=Admin,$domain",
    "OU=Tier2,OU=Admin,$domain",
    "OU=Accounts,OU=Tier0,OU=Admin,$domain",
    "OU=Groups,OU=Tier0,OU=Admin,$domain",
    "OU=Workstations,OU=Tier0,OU=Admin,$domain",
    "OU=Accounts,OU=Tier1,OU=Admin,$domain",
    "OU=Groups,OU=Tier1,OU=Admin,$domain",
    "OU=Servers,OU=Tier1,OU=Admin,$domain",
    "OU=Accounts,OU=Tier2,OU=Admin,$domain",
    "OU=Groups,OU=Tier2,OU=Admin,$domain",
    "OU=Workstations,OU=Tier2,OU=Admin,$domain"
)

foreach ($ou in $tierOUs) {
    $name   = ($ou -split ',')[0] -replace 'OU=',''
    $parent = $ou -replace "^OU=$name,",''
    try {
        New-ADOrganizationalUnit -Name $name -Path $parent `
            -ProtectedFromAccidentalDeletion $true
        Write-Host "Created: $ou" -ForegroundColor Green
    } catch {
        Write-Warning "Skipped (exists?): $ou"
    }
}

Step 2: Create Tiered Administrative Accounts

Each administrator gets three separate accounts — one per tier they operate in — with no account spanning tiers:

# Create Tier 0 admin account for an administrator
function New-TieredAdminAccount {
    param(
        [string]$AdminName,    # e.g., "John Smith"
        [string]$Username,     # e.g., "jsmith"
        [int]$Tier
    )

    $tierOU = "OU=Accounts,OU=Tier$Tier,OU=Admin,$((Get-ADDomain).DistinguishedName)"
    $tierPrefix = "T${Tier}_"
    $samAccount = "$tierPrefix$Username"
    $upn = "$samAccount@$((Get-ADDomain).DNSRoot)"
    $pwd = ConvertTo-SecureString "$(New-Guid)Aa1!" -AsPlainText -Force

    New-ADUser -Name "$AdminName (Tier $Tier)" `
        -GivenName $AdminName.Split()[0] `
        -Surname  $AdminName.Split()[1] `
        -SamAccountName $samAccount `
        -UserPrincipalName $upn `
        -AccountPassword $pwd `
        -ChangePasswordAtLogon $true `
        -Enabled $true `
        -Path $tierOU `
        -Description "Tier $Tier administrative account for $AdminName"

    Write-Host "Created Tier $Tier account: $samAccount" -ForegroundColor Green
    return $samAccount
}

# Create accounts for sysadmin "jsmith"
New-TieredAdminAccount -AdminName "John Smith" -Username "jsmith" -Tier 0  # Domain admin work
New-TieredAdminAccount -AdminName "John Smith" -Username "jsmith" -Tier 1  # Server admin work
New-TieredAdminAccount -AdminName "John Smith" -Username "jsmith" -Tier 2  # Workstation support

# Create matching groups
New-ADGroup -Name "Tier0-Admins" -GroupScope Global -GroupCategory Security `
    -Path "OU=Groups,OU=Tier0,OU=Admin,$((Get-ADDomain).DistinguishedName)"
New-ADGroup -Name "Tier1-ServerAdmins" -GroupScope Global -GroupCategory Security `
    -Path "OU=Groups,OU=Tier1,OU=Admin,$((Get-ADDomain).DistinguishedName)"
New-ADGroup -Name "Tier2-DesktopSupport" -GroupScope Global -GroupCategory Security `
    -Path "OU=Groups,OU=Tier2,OU=Admin,$((Get-ADDomain).DistinguishedName)"

# Add accounts to appropriate groups
Add-ADGroupMember -Identity "Tier0-Admins"        -Members "T0_jsmith"
Add-ADGroupMember -Identity "Tier1-ServerAdmins"  -Members "T1_jsmith"
Add-ADGroupMember -Identity "Tier2-DesktopSupport"-Members "T2_jsmith"

Step 3: Configure Group Policy to Enforce Tier Restrictions

Use the Deny log on locally and Deny access to this computer from network policies to prevent cross-tier credential use. This is the technical enforcement mechanism:

# The following GPO settings must be configured through Group Policy Management Console
# or via GPO templates. Here are the required policy settings:

# GPO: "Tier 0 - Admin Workstation Restrictions"
# Applied to: OU=Workstations,OU=Tier0,OU=Admin
# Settings:
#   Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
#   - "Deny log on locally":              Add Tier1-ServerAdmins, Tier2-DesktopSupport
#   - "Deny log on through Remote Desktop": Add Tier1-ServerAdmins, Tier2-DesktopSupport
#   - "Allow log on locally":             Add Tier0-Admins only
#   - "Allow log on through Remote Desktop": Add Tier0-Admins only

# GPO: "Tier 1 - Server Restrictions"
# Applied to: OU=Servers,OU=Tier1,OU=Admin AND all server OUs
# Settings:
#   - "Deny log on locally":              Add Tier0-Admins, Tier2-DesktopSupport
#   - "Allow log on through RDS":         Add Tier1-ServerAdmins only

# GPO: "Tier 2 - Workstation Restrictions"
# Applied to: Workstation OUs
# Settings:
#   - "Deny log on locally":              Add Tier0-Admins, Tier1-ServerAdmins
#   - "Allow log on locally":             Add Tier2-DesktopSupport only

# Use PowerShell to create and link GPOs
Import-Module GroupPolicy

$tier0GPO = New-GPO -Name "Tier0-Admin Workstation Restrictions" -Domain "corp.local"
New-GPLink -Name "Tier0-Admin Workstation Restrictions" `
    -Target "OU=Workstations,OU=Tier0,OU=Admin,DC=corp,DC=local" `
    -LinkEnabled Yes

Write-Host "GPO created and linked. Configure User Rights Assignment in GPMC." -ForegroundColor Yellow

Step 4: Configure Authentication Policy Silos (Windows Server 2012 R2)

Windows Server 2012 R2 at DFL 2012 R2 introduces Authentication Policy Silos, which restrict where privileged accounts can authenticate using Kerberos armoring:

Import-Module ActiveDirectory

# Create an Authentication Policy for Tier 0
# This restricts T0 accounts to only authenticate FROM Tier 0 devices
New-ADAuthenticationPolicy -Name "Tier0-RestrictedAuthentication" `
    -Description "Restricts Tier0 accounts to Tier0 devices only" `
    -UserAllowedToAuthenticateFrom @"
        O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Tier0Silo"))
    "@ `
    -Enforce $true

# Create an Authentication Policy Silo
New-ADAuthenticationPolicySilo -Name "Tier0Silo" `
    -Description "Tier 0 privileged access silo" `
    -UserAuthenticationPolicy "Tier0-RestrictedAuthentication" `
    -ComputerAuthenticationPolicy "Tier0-RestrictedAuthentication" `
    -Enforce $true

# Assign Tier 0 admin accounts to the silo
$tier0Accounts = Get-ADUser -SearchBase "OU=Accounts,OU=Tier0,OU=Admin,DC=corp,DC=local" -Filter *
foreach ($account in $tier0Accounts) {
    Grant-ADAuthenticationPolicySiloAccess -Identity "Tier0Silo" -Account $account
    Set-ADUser -Identity $account -AuthenticationPolicySilo "Tier0Silo"
    Write-Host "Assigned $($account.SamAccountName) to Tier0Silo"
}

# Assign Tier 0 computers (PAWs) to the silo
$tier0Computers = Get-ADComputer -SearchBase "OU=Workstations,OU=Tier0,OU=Admin,DC=corp,DC=local" -Filter *
foreach ($computer in $tier0Computers) {
    Grant-ADAuthenticationPolicySiloAccess -Identity "Tier0Silo" -Account $computer
    Set-ADComputer -Identity $computer -AuthenticationPolicySilo "Tier0Silo"
}

Step 5: Privileged Access Workstations (PAWs)

Tier 0 administration should only be performed from dedicated Privileged Access Workstations — hardened systems that have no internet access and are used only for administrative tasks:

# Create a PAW baseline GPO
$pawGPO = New-GPO -Name "PAW-SecurityBaseline"

# Key PAW security settings to configure via GPMC:
# 1. No internet access (firewall rules blocking outbound HTTP/HTTPS to non-Microsoft sites)
# 2. AppLocker: allow only signed, authorized applications
# 3. Credential Guard: enabled (requires UEFI, Secure Boot)
# 4. Windows Defender: enabled, cloud protection on
# 5. No email client, no Office suite
# 6. AutoRun disabled
# 7. USB storage disabled (except authorized devices)
# 8. BitLocker enabled on OS drive
# 9. Local admin account disabled
# 10. WinRM restricted to management subnet only

# Apply to Tier 0 PAW OU
New-GPLink -Name "PAW-SecurityBaseline" `
    -Target "OU=Workstations,OU=Tier0,OU=Admin,DC=corp,DC=local" -LinkEnabled Yes

# Configure AppLocker via PowerShell
$pawGPO | Set-GPRegistryValue -Key "HKLMSOFTWAREPoliciesMicrosoftWindowsSrpV2" `
    -ValueName "EnforcementMode" -Type DWord -Value 1  # Enforce mode

Step 6: Monitoring and Alerting for Tier Violations

# Enable Advanced Audit Policy for logon events on all tier systems
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Special Logon" /success:enable
auditpol /set /subcategory:"Account Logon" /success:enable /failure:enable

# Create a PowerShell script to detect cross-tier logon violations
# Monitor Security Event ID 4624 (successful logon) for T0 accounts on non-T0 systems
$tier0AccountSAMs = Get-ADUser -SearchBase "OU=Accounts,OU=Tier0,OU=Admin,DC=corp,DC=local" `
    -Filter * | Select-Object -ExpandProperty SamAccountName

# This would be run against collected Windows Security events (e.g., via SIEM)
Get-WinEvent -ComputerName "dc01" -FilterHashtable @{
    LogName   = 'Security'
    Id        = 4624
    StartTime = (Get-Date).AddHours(-1)
} | Where-Object {
    $_.Properties[5].Value -in $tier0AccountSAMs -and
    $_.Properties[11].Value -notlike "*T0_PAW*"
} | ForEach-Object {
    Write-Warning "TIER VIOLATION: T0 account $($_.Properties[5].Value) logged on to $($_.MachineName)"
}

Verification

# Verify tier structure
Write-Host "=== Tiered Administration Verification ===" -ForegroundColor Cyan

# Count accounts per tier
foreach ($tier in 0,1,2) {
    $count = (Get-ADUser -SearchBase "OU=Accounts,OU=Tier$tier,OU=Admin,DC=corp,DC=local" -Filter *).Count
    Write-Host "Tier $tier accounts: $count"
}

# Verify authentication policy silos
Get-ADAuthenticationPolicySilo | Format-Table Name, Enforce

# Verify no Tier 0 account is a member of lower-tier groups
$t0Accounts = Get-ADUser -SearchBase "OU=Accounts,OU=Tier0,OU=Admin,DC=corp,DC=local" -Filter *
$t1Group    = Get-ADGroup "Tier1-ServerAdmins"
$crossTier  = $t0Accounts | Where-Object {
    (Get-ADGroupMember $t1Group -Recursive).SamAccountName -contains $_.SamAccountName
}
if ($crossTier) {
    Write-Warning "Cross-tier membership detected: $($crossTier.SamAccountName)"
} else {
    Write-Host "No cross-tier membership violations detected" -ForegroundColor Green
}

Summary

Active Directory Tiered Administration on Windows Server 2012 R2 fundamentally changes the attack surface for credential theft. By segregating accounts into Tier 0 (AD/DC), Tier 1 (servers), and Tier 2 (workstations), configuring deny-logon GPOs across tier boundaries, implementing Authentication Policy Silos, deploying hardened PAWs for Tier 0 work, and monitoring for tier violations, you build an architecture where compromising a Tier 2 workstation cannot yield credentials that work against a Domain Controller. This model, combined with regular reviews and least-privilege group membership, is the most effective defense against lateral movement and privilege escalation in Active Directory environments.