Active Directory Administrative Tier Model

Composed of three levels only for administrative accounts:

• Tier 0: Accounts, Groups and computers which have privileges across the enterprise like domain controllers, domain admins, enterprise admins
• Tier 1: Accounts, Groups and computers which have access to resources having significant amount of business value. A common example role is server administrators who maintain these operating systems with the ability to impact all enterprise services.
• Tier 2: Administrator accounts which have administrative control of a significant amount of business value that is hosted on user workstations and devices. Examples include Help Desk and computer support administrators because they can impact the integrity of almost any user data.

Control Restrictions → What admins control.

For example: users and groups in Tier 0 will be able to control and manage Tier 0 machines, but they cannot administer machines in higher tiers (Tier 1 or 2) unless there are specifically assigned roles. Certainly Tier 2 users cannot move up the chain to Tier 0 in any way.

Logon Restrictions → Where admins can log-on to.

Tier 0 can only log onto its own tier but can never log onto the tiers below it. The danger of this situation is well seen with the Printer Bug in which the Domain Controller logged onto a Management machine and managed to steal the TGT.

ESAE (Enhanced Security Admin Environment) / Red / Bastion Forest

Dedicated administrative forest for managing critical assets like administrative users, groups and computers.

Since a forest is considered a security boundary rather than a domain, this model provides enhanced security controls.

The administrative forest is also called the Red Forest. Administrative users in a production forest are used as standard non-privileged users in the administrative forest.

Selective Authentication to the Red Forest enables stricter security controls on logon of users from non-administrative forests