If you take one thing away from this article, make it this: in most enterprises, a single compromised laptop can lead to full control of Active Directory within hours. The tiered administration model is how you stop that. Here is what it is and why it matters — without the jargon.
How attackers turn one laptop into the whole domain
The attack pattern is depressingly consistent:
- A user clicks a phishing link, and the attacker lands on their workstation.
- The attacker waits for — or triggers — an IT admin to log in to that machine to "fix something."
- The admin's credentials are now cached in memory on a compromised machine. The attacker steals them.
- Those credentials have Domain Admin rights. Game over.
The fatal flaw is step 3: high-privilege credentials are exposed on low-trust machines. The tiered model exists to make that impossible.
The three tiers
The model divides your environment into three tiers based on the value of what is being controlled:
- Tier 0 — the keys to the kingdom. Domain controllers, the AD database, federation servers, and anything that can grant control over identities. Compromise here means total compromise.
- Tier 1 — servers and applications. Business-critical servers, databases, and line-of-business apps.
- Tier 2 — workstations and devices. Laptops, desktops, and the things end users touch every day.
The one rule that makes it work
Credentials from a higher tier must never be exposed on a lower tier.
A Tier 0 admin account is used only to log in to Tier 0 systems — never to a regular workstation, never to check email, never to browse the web. Each tier gets its own dedicated admin accounts, and ideally its own secure admin workstations (PAWs) that are hardened and used for nothing else.
Now revisit the attack: when the attacker compromises a Tier 2 laptop, the only credentials they can steal are Tier 2 credentials. They cannot reach the domain controllers, because no Tier 0 credential ever touches that machine.
What it looks like in practice
Implementing tiering touches several things:
- Separate admin accounts per tier (e.g., a normal account, a
t1-account, and at0-account for the same person). - Authentication policies and silos in Active Directory that technically prevent Tier 0 accounts from logging on to lower tiers.
- Privileged Access Workstations for Tier 0 administration.
- Group Policy and logon restrictions that enforce the boundaries.
- A serious cleanup of privileged groups — most organizations have far too many Domain Admins.
Why leaders should care
This is not an abstract best practice. It is the difference between a contained incident and a company-ending breach. In one regional bank engagement, a penetration test showed Domain Admin was reachable from any workstation in hours. After tiering, that path was simply gone — and the bank passed its regulatory exam with zero privileged-access findings.
Tiering is rarely a quick project, and it requires discipline to maintain. But of all the security investments you can make in Active Directory, it has the highest return: it directly defeats the most common path to total compromise.
Want to know how exposed your environment is today? A discovery call is a good place to start.