Why Privileged Accounts Need Tiering
The tiered administration model is Microsoft's recommended defense against credential theft and lateral movement in Active Directory, built around the observation that if a highly privileged Domain Admin account ever logs onto a compromised or lower-trust machine, an attacker who owns that machine can harvest the credential and escalate straight to full domain control. The model splits the environment into three tiers — Tier 0 (domain controllers, AD FS servers, Entra Connect, PKI, and anything that can directly control the identity store), Tier 1 (member servers and applications), and Tier 2 (user workstations and help-desk-level support) — and enforces that credentials from a higher tier are never entered on a lower tier's machines.
Cricket analogy: Like a board never letting the national team's coaching staff badge work at a random school ground's nets, since a lost badge at a low-security venue would otherwise let anyone walk into the main stadium's dressing room.
Enforcing Tier Separation with Accounts and GPOs
Enforcing this separation in practice means an administrator holds separate accounts per tier — a Tier 0 admin account, a Tier 1 admin account, and a standard Tier 2 user account for email and browsing — rather than using one all-powerful account everywhere, since a single account used across tiers defeats the entire model. Group Policy 'User Rights Assignment' settings such as Deny log on locally, Deny log on through Remote Desktop Services, and Deny access to this computer from the network are applied to Tier 0 assets to explicitly block Tier 1 and Tier 2 admin accounts from ever authenticating there, closing the path an attacker would otherwise use to pivot upward.
Cricket analogy: Like a player using entirely separate kits — national team gear, franchise gear, and personal club gear — never wearing the national badge onto a random local club pitch where it could be lost or copied.
Privileged Access Workstations and LAPS
Privileged Access Workstations (PAWs) — hardened, single-purpose machines used only for administrative tasks and never for email or web browsing — provide the physical enforcement point for tier separation, since even a perfectly configured GPO can't help if an admin logs into Tier 0 from a general-purpose laptop that already has malware on it. The Local Administrator Password Solution (LAPS) complements this by randomizing and automatically rotating the local Administrator password on every domain-joined machine, storing it as a confidential attribute in AD, so a leaked local admin password on one workstation can't be reused to move laterally across the entire fleet.
Cricket analogy: Like a franchise assigning a dedicated, locked-down laptop just for reviewing DRS footage, never used for casual browsing, so a phishing email in someone's personal inbox can't compromise match-critical review equipment.
# Retrieve the current LAPS-managed local admin password for a workstation (requires permission)
Get-LapsADPassword -Identity 'WKSTN-1024' -AsPlainText
# Rotate the krbtgt password twice, with a delay, after suspected compromise
.\New-KrbtgtKeys.ps1 -Domain 'contoso.com' -SkipDuplicateSPNCheck
# Add an account to Protected Users to disable NTLM/DES and shorten ticket lifetimes
Add-ADGroupMember -Identity 'Protected Users' -Members 'adm.jdoe.t0'LAPS (Local Administrator Password Solution, now built into Windows Server as Windows LAPS) randomizes and rotates the local Administrator password on every domain-joined machine independently, storing each password as a confidential, access-controlled attribute in AD, so compromising one workstation's local admin password gives an attacker no path to any other machine.
Additional Hardening Layers
Additional layers reinforce the tiering model: the built-in Protected Users security group strips an account of NTLM, DES, and weak Kerberos encryption support and shortens ticket lifetimes, making credential theft attacks like pass-the-hash far less effective against members; the krbtgt account's password should be rotated twice (with a suitable delay between rotations to let ticket caches expire) at least annually, and immediately after any suspected domain compromise, to invalidate any forged golden tickets; and organizations increasingly pair on-premises tiering with Microsoft Entra Privileged Identity Management (PIM) to grant just-in-time, time-bound elevation instead of standing admin rights. Without disciplined tier enforcement, a single phishing email that compromises a help-desk technician's workstation can, within minutes, become full Domain Admin compromise via pass-the-hash or ticket theft.
Cricket analogy: Like a board periodically changing the master locker-room access code after any security scare, and stripping outdated, weak lock mechanisms from older venues in favor of modern keycard systems league-wide.
Without disciplined tier enforcement, a single phishing email compromising a help-desk technician's Tier 2 workstation can, within minutes, escalate to full Domain Admin compromise: an attacker dumps local credentials, finds a cached Tier 1 or Tier 0 admin session via pass-the-hash or ticket theft, and pivots straight to the domain controllers.
- The tiered model splits the environment into Tier 0 (identity infrastructure), Tier 1 (servers), and Tier 2 (workstations).
- Credentials from a higher tier must never be entered on a lower tier's machines.
- Separate admin accounts per tier prevent one compromised account from spanning the whole environment.
- GPO Deny logon rights on Tier 0 assets explicitly block lower-tier admin accounts from authenticating there.
- Privileged Access Workstations (PAWs) provide the physical enforcement point that GPOs alone can't guarantee.
- LAPS randomizes and rotates local Administrator passwords per machine to stop lateral movement.
- The Protected Users group and periodic krbtgt rotation add further resistance against pass-the-hash and golden ticket attacks.
Practice what you learned
1. What is included in Tier 0 under Microsoft's tiered administration model?
2. Why does the tiered model require separate admin accounts per tier?
3. What is the primary purpose of a Privileged Access Workstation (PAW)?
4. What does membership in the Protected Users group do?
5. How often, at minimum, should the krbtgt account password be rotated under normal circumstances?
Was this page helpful?
You May Also Like
Kerberos Authentication
How Active Directory's ticket-based Kerberos protocol authenticates users and services without repeatedly transmitting passwords, and how to diagnose its most common failures.
Fine-Grained Password Policies
How Password Settings Objects (PSOs) let administrators apply different password and lockout rules to different groups of users within a single Active Directory domain.
Hybrid Identity with Microsoft Entra Connect
How Microsoft Entra Connect synchronizes on-premises Active Directory identities to Microsoft Entra ID, and the authentication methods and safeguards that make hybrid identity work reliably.
Related Reading
Related Study Notes in Microsoft Technologies
Browse all study notesWindows 10 / UWP Development Study Notes
.NET · 30 topics
Microsoft TechnologiesWindows Batch Scripting Study Notes
Batch · 30 topics
Microsoft TechnologiesMFC (Microsoft Foundation Classes) Study Notes
C++ · 30 topics
Microsoft TechnologiesSilverlight Study Notes
.NET · 30 topics
Microsoft TechnologiesXAML Study Notes
.NET · 30 topics
Microsoft TechnologiesWPF (Windows Presentation Foundation) Study Notes
.NET · 30 topics