![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 54%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
Active Directory
A set of directory-based technologies included in Windows Server.
6,121 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 92%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYL%3C/text%3E%3C/svg%3E)
Hello,
Thank you for posting in Q&A forum.
Based on your description, here is a logical summary of the recommended permissions and security practices for Tier 0:
Separate administrator accounts for administrative tasks: In a three-tier model, AD administrators may need four separate credentials: User (non-privileged), Tier 2 (workstation) administrator, Tier 1 (server) administrator, and Tier 0 (security infrastructure) administrator. Users with administrator privileges must have separate administrator accounts at each tier, which helps prevent pass-the-hash attacks from escalating from lower tiers to higher tiers. Please refer to the link: Securing Privileged Access for the AD Admin - Part 1 - Microsoft Community Hub
Tier 0 Account Operators: The Account Operators group grants limited account creation permissions to users. Members of this group can create and modify most types of accounts, including users, local groups, and global groups, and can log on locally to a domain controller. Please refer to the link: Tier 0 Account Operators - Secframe
Tier 0 Administrative Control: Tier 0 administrators can manage and control assets in all tiers but can only log on interactively to Tier 0 assets. Tier 0 administrators must use a Tier 0 Privileged Access Workstation (PAW) to manage other Tier 0 assets, such as domain controllers, because the account will be a member of a high-privileged domain or forest group. Reference Links: Why You Should Use Microsoft's Active Directory Tier Administrative Model - Petri IT Knowledgebase
It is also recommended to enforce 2FA for all Tier 0 accounts to enhance security. Two-factor authentication (2FA) is an identity and access management security method that requires two forms of identification to access resources and data. 2FA enables enterprises to monitor and help protect their most vulnerable information and networks.
Reference link: What Is Two-Factor Authentication (2FA)? | Microsoft Security
Use Two-factor Authentication to Protect Your Accounts | Consumer Advice (ftc.gov)
Best Regards,
Yanhong Liu
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.