Hi @Chapter7-2723 •
You can use user right assignement in GPO to deny access on T1 and T2 for T0 admins.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment:
You should create a OU and GPO for each tiers after that ,
On the OU T0 you link a GPO where you will deny access to T1 and T2 accounts on T0 assets
On the OU T1 you link a GPO where you will deny access to T0 and T2 accounts on T1 assets
On the OU T2 you link a GPO where you will deny access to T0 and T1 accounts on T2 assets
Please don't forget to mark helpful answer as accepted