Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,635 questions
Microsoft tiered model - how do we deal with end user applications which require AD authentication?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 22%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
peter siffredi
41
Reputation points
Hello,
We're implementing Microsoft's tiered security model based on T0, T1 and T2 security levels.
Typically this model is for administrative access to infrastructure, however we have had audit requests for implementation for RBAC for end user applications that are AD integrated. We're considering giving end users T1 accounts or potentially T3 accounts so that they can perform admin tasks within specific applications\systems (e.g. the HR database or customer CRM portal).
What's the recommended organisational approach for this?
Creating T1 accounts for end users poses some challenges around being able to delegate ownership of account creation and password resets, hence we're considering creating T3 accounts so we can delegate account ownership to the service desk.
I'm looking for some advice on how real world best practices work.
Thanks