100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Windows

Securing Privileged Accounts (Tiered Admin Model)

How Microsoft's tiered administration model, Privileged Access Workstations, and LAPS together prevent a single compromised low-trust machine from escalating into full domain compromise.

Security & IdentityAdvanced10 min readJul 10, 2026
Analogies

Why Privileged Accounts Need Tiering

The tiered administration model is Microsoft's recommended defense against credential theft and lateral movement in Active Directory, built around the observation that if a highly privileged Domain Admin account ever logs onto a compromised or lower-trust machine, an attacker who owns that machine can harvest the credential and escalate straight to full domain control. The model splits the environment into three tiers — Tier 0 (domain controllers, AD FS servers, Entra Connect, PKI, and anything that can directly control the identity store), Tier 1 (member servers and applications), and Tier 2 (user workstations and help-desk-level support) — and enforces that credentials from a higher tier are never entered on a lower tier's machines.

🏏

Cricket analogy: Like a board never letting the national team's coaching staff badge work at a random school ground's nets, since a lost badge at a low-security venue would otherwise let anyone walk into the main stadium's dressing room.

Enforcing Tier Separation with Accounts and GPOs

Enforcing this separation in practice means an administrator holds separate accounts per tier — a Tier 0 admin account, a Tier 1 admin account, and a standard Tier 2 user account for email and browsing — rather than using one all-powerful account everywhere, since a single account used across tiers defeats the entire model. Group Policy 'User Rights Assignment' settings such as Deny log on locally, Deny log on through Remote Desktop Services, and Deny access to this computer from the network are applied to Tier 0 assets to explicitly block Tier 1 and Tier 2 admin accounts from ever authenticating there, closing the path an attacker would otherwise use to pivot upward.

🏏

Cricket analogy: Like a player using entirely separate kits — national team gear, franchise gear, and personal club gear — never wearing the national badge onto a random local club pitch where it could be lost or copied.

Privileged Access Workstations and LAPS

Privileged Access Workstations (PAWs) — hardened, single-purpose machines used only for administrative tasks and never for email or web browsing — provide the physical enforcement point for tier separation, since even a perfectly configured GPO can't help if an admin logs into Tier 0 from a general-purpose laptop that already has malware on it. The Local Administrator Password Solution (LAPS) complements this by randomizing and automatically rotating the local Administrator password on every domain-joined machine, storing it as a confidential attribute in AD, so a leaked local admin password on one workstation can't be reused to move laterally across the entire fleet.

🏏

Cricket analogy: Like a franchise assigning a dedicated, locked-down laptop just for reviewing DRS footage, never used for casual browsing, so a phishing email in someone's personal inbox can't compromise match-critical review equipment.

powershell
# Retrieve the current LAPS-managed local admin password for a workstation (requires permission)
Get-LapsADPassword -Identity 'WKSTN-1024' -AsPlainText

# Rotate the krbtgt password twice, with a delay, after suspected compromise
.\New-KrbtgtKeys.ps1 -Domain 'contoso.com' -SkipDuplicateSPNCheck

# Add an account to Protected Users to disable NTLM/DES and shorten ticket lifetimes
Add-ADGroupMember -Identity 'Protected Users' -Members 'adm.jdoe.t0'

LAPS (Local Administrator Password Solution, now built into Windows Server as Windows LAPS) randomizes and rotates the local Administrator password on every domain-joined machine independently, storing each password as a confidential, access-controlled attribute in AD, so compromising one workstation's local admin password gives an attacker no path to any other machine.

Additional Hardening Layers

Additional layers reinforce the tiering model: the built-in Protected Users security group strips an account of NTLM, DES, and weak Kerberos encryption support and shortens ticket lifetimes, making credential theft attacks like pass-the-hash far less effective against members; the krbtgt account's password should be rotated twice (with a suitable delay between rotations to let ticket caches expire) at least annually, and immediately after any suspected domain compromise, to invalidate any forged golden tickets; and organizations increasingly pair on-premises tiering with Microsoft Entra Privileged Identity Management (PIM) to grant just-in-time, time-bound elevation instead of standing admin rights. Without disciplined tier enforcement, a single phishing email that compromises a help-desk technician's workstation can, within minutes, become full Domain Admin compromise via pass-the-hash or ticket theft.

🏏

Cricket analogy: Like a board periodically changing the master locker-room access code after any security scare, and stripping outdated, weak lock mechanisms from older venues in favor of modern keycard systems league-wide.

Without disciplined tier enforcement, a single phishing email compromising a help-desk technician's Tier 2 workstation can, within minutes, escalate to full Domain Admin compromise: an attacker dumps local credentials, finds a cached Tier 1 or Tier 0 admin session via pass-the-hash or ticket theft, and pivots straight to the domain controllers.

  • The tiered model splits the environment into Tier 0 (identity infrastructure), Tier 1 (servers), and Tier 2 (workstations).
  • Credentials from a higher tier must never be entered on a lower tier's machines.
  • Separate admin accounts per tier prevent one compromised account from spanning the whole environment.
  • GPO Deny logon rights on Tier 0 assets explicitly block lower-tier admin accounts from authenticating there.
  • Privileged Access Workstations (PAWs) provide the physical enforcement point that GPOs alone can't guarantee.
  • LAPS randomizes and rotates local Administrator passwords per machine to stop lateral movement.
  • The Protected Users group and periodic krbtgt rotation add further resistance against pass-the-hash and golden ticket attacks.

Practice what you learned

Was this page helpful?

Topics covered

#Windows#WindowsServerActiveDirectoryStudyNotes#MicrosoftTechnologies#SecuringPrivilegedAccountsTieredAdminModel#Securing#Privileged#Accounts#Tiered#StudyNotes#SkillVeris