Skip to main content
The Active Directory tier model is a security architecture that reduces the risk of credential theft and privilege escalation by separating administrative accounts based on the sensitivity of the resources they manage.

Why Use a Tier Model?

Traditional Active Directory environments often allow administrators to use the same credentials across all systems. This creates a significant security risk: if an attacker compromises a workstation, they can potentially steal credentials that grant access to domain controllers. The tier model addresses this by enforcing strict separation between administrative tiers, ensuring that high-privilege credentials are never exposed on lower-tier systems.
The tier model implements Microsoft’s Enhanced Security Administrative Environment (ESAE) best practices, also known as the “Red Forest” architecture.

The Three Tiers

TierNameResourcesExamples
Tier 0Identity InfrastructureSystems that control Active Directory identityDomain Controllers, ADFS, Certificate Authorities, Azure AD Connect
Tier 1Server ManagementEnterprise servers and applicationsApplication servers, database servers, file servers, management tools
Tier 2Workstation ManagementUser endpoints and their administratorsWorkstations, laptops, help desk systems

Tier 0 - Identity Infrastructure

Tier 0 contains the most sensitive assets in your environment. Compromise of a Tier 0 system means complete control of your Active Directory forest. Protected resources include:
  • Domain Controllers
  • Active Directory Federation Services (ADFS)
  • Certificate Authorities (PKI)
  • Azure AD Connect servers
  • Privileged Access Workstations (PAWs) for Tier 0

Tier 1 - Server Management

Tier 1 contains your enterprise server infrastructure. While critical to operations, compromise of these systems should not directly lead to domain compromise. Protected resources include:
  • Application and web servers
  • Database servers (SQL, Oracle)
  • File and print servers
  • System management servers (SCCM, WSUS)

Tier 2 - Workstation Management

Tier 2 contains user endpoints. These systems are most exposed to attacks through phishing, malware, and physical access. Protected resources include:
  • User workstations and laptops
  • Help desk and support systems
  • VDI infrastructure

Tier Isolation

The tier model enforces isolation through Group Policy Objects (GPOs) that restrict how administrators can access systems across tiers.

Isolation Matrix

Administrator TierCan Access Tier 0Can Access Tier 1Can Access Tier 2
Tier 0 AdminYesNoNo
Tier 1 AdminNoYesNo
Tier 2 AdminNoNoYes

GPO Restrictions

Tier isolation is enforced through user rights assignments that deny:
  • Local logon - Prevents interactive logon at the console
  • Remote Desktop - Blocks RDP connections
  • Network logon - Denies access via SMB, WMI, and similar protocols
  • Batch logon - Prevents scheduled tasks from running
  • Service logon - Blocks running as a service account
The key principle is that credentials from a higher tier should never be exposed on a lower tier system. A Tier 0 admin should never log into a Tier 2 workstation.

AD Tier Model Manager

The AD Tier Model Manager is a desktop application that helps you implement and maintain the tier model in your environment.

Prerequisites

Before installing, ensure you have:
  • Windows 10/11 or Windows Server 2016+
  • Domain Administrator privileges
  • .NET Framework 4.8 or later
  • PowerShell 5.1 or later

Installation

  1. Download the latest release from the GitHub releases page
  2. Extract the archive to your preferred location
  3. Run the installer or portable executable

Initial Setup

When you first launch the application:
1

Connect to Active Directory

The application will detect your domain automatically. Verify the connection and authenticate with your Domain Admin credentials.
2

Initialize Tier Structure

Create the Organizational Unit (OU) structure for each tier. The tool will create:
  • OU=Tier 0,OU=Admin,DC=domain,DC=com
  • OU=Tier 1,OU=Admin,DC=domain,DC=com
  • OU=Tier 2,OU=Admin,DC=domain,DC=com
3

Create Security Groups

The tool creates security groups for each tier that will be used in GPO restrictions.
4

Deploy GPOs

Generate and link the Group Policy Objects that enforce tier isolation.

Key Features

Tier Object Management

Assign users, groups, and computers to appropriate tiers with a visual interface.

GPO Automation

Automatically generate and maintain the GPOs required for tier isolation.

Compliance Monitoring

Detect cross-tier access violations and misconfigurations in real-time.

Audit Logging

Track all administrative actions for security review and compliance.

Next Steps

After implementing the tier model, consider these additional security measures:
  • Deploy Privileged Access Workstations (PAWs) for Tier 0 administrators
  • Implement Just-In-Time (JIT) and Just-Enough-Administration (JEA)
  • Enable Protected Users security group for sensitive accounts
  • Configure Credential Guard on administrative workstations