## Why tiered administration matters
Many breaches start with one stolen help desk or server admin credential. A tiered Active Directory model limits where privileged accounts can sign in and what they can manage.
## Recommended tier model
### Tier 0
Domain controllers, AD CS, Entra Connect, backup systems, and identity infrastructure.
### Tier 1
Member servers, virtualization hosts, storage, and infrastructure applications.
### Tier 2
User workstations and standard endpoint support.
## Practical implementation
Create separate admin accounts for each tier. Do not use one domain admin account for everything.
Example naming:
“`text
j.smith-t0
j.smith-t1
j.smith-t2
“`
Use Group Policy to deny interactive logon across tiers:
“`text
Deny log on locally: Tier 0 admins on Tier 1/2 systems
Deny log on through RDP: Tier 0 admins on Tier 1/2 systems
“`
## Harden admin workstations
Privileged Access Workstations should block email, web browsing, and non-admin productivity apps. Require MFA where possible and monitor all privileged logons.
## Delegate instead of over-permissioning
Give help desk staff reset-password rights only in approved OUs. Avoid adding users to Domain Admins for convenience.
## Key takeaways
Tiered administration is inexpensive, practical, and highly effective. Start by separating admin accounts, restricting logon paths, hardening privileged workstations, and reviewing privileged group membership monthly.