Active Directory Tiering for Texas SMBs: The 90-Day Implementation

The model defines three tiers of administrative access based on what the credential controls:

• Tier 0 — controls identity itself. Domain controllers, Active Directory database, certificate authority, federation services, identity synchronization servers. Compromise of Tier 0 is game over.
• Tier 1 — controls servers and applications. Database servers, application servers, file servers, hypervisor management. Compromise of Tier 1 is severe but recoverable.
• Tier 2 — controls user workstations and standard endpoints. Help desk admin rights, workstation management. Compromise of Tier 2 is daily noise.

The core rule: credentials from a higher tier may never authenticate to a lower tier. A Tier 0 admin must never log into a Tier 2 workstation, because if that workstation has malware, the malware can steal the Tier 0 credential and pivot to a domain controller.

Modern ransomware operators specifically target the Domain Admin escalation path. The dwell time pattern looks like this:

1. Initial access via phishing, exploited service, or stolen credential — lands on a workstation (Tier 2)
2. Local privilege escalation, dump credentials from memory or LSASS
3. Find a Tier 1 or Tier 0 credential that recently authenticated to that workstation (because admins log into workstations to support users)
4. Use that credential to authenticate to a Tier 0 system, dump SYSTEM/NTDS.dit, extract all domain hashes
5. Now have domain admin everywhere — deploy ransomware tenant-wide

The entire chain depends on step 3. Tiered administration breaks step 3 by ensuring Tier 0 and Tier 1 credentials never authenticate to a workstation in the first place.

Days 1-15: Discovery and Inventory

• Inventory all admin accounts (Domain Admins, Enterprise Admins, Schema Admins, all built-in admin groups)
• Identify each account's actual usage: who uses it, for what tasks, on which systems
• Categorize each system as Tier 0, Tier 1, or Tier 2
• Identify "service accounts" with admin rights — these are usually misclassified Tier 1 or Tier 0 entities
• Document your current state honestly. Most environments will discover Tier 0 admins routinely RDP into workstations to support users.

Days 16-30: Build the Tier 0 Boundary

• Create dedicated Tier 0 admin accounts (separate from daily-use Tier 1/2 accounts)
• Designate Privileged Access Workstations (PAWs) — dedicated hardware or VMs used ONLY for Tier 0 admin tasks
• Configure PAWs with no internet access, no email, no productivity software, locked down via PAM/application allowlisting
• Apply Authentication Policy Silos to bind Tier 0 admin accounts to PAWs only
• Migrate Tier 0 admin work onto PAWs, verify it functions

Days 31-60: Tier 1 Server Boundary

• Create Tier 1 admin accounts separate from Tier 0 and Tier 2
• Designate Tier 1 jump servers — Windows Server systems used to admin Tier 1 servers
• Apply Authentication Policy Silos preventing Tier 1 accounts from logging into Tier 2 workstations
• Use LAPS to randomize local admin passwords on all servers (eliminates the universal local admin pivot)
• Migrate server administration onto the Tier 1 jump pattern

Days 61-75: Tier 2 Workstation Boundary

• Create dedicated Tier 2 admin accounts for help desk staff
• Use LAPS for workstation local admin password randomization
• Configure Tier 2 admin accounts to be unable to log into Tier 0 or Tier 1 systems
• Just-in-time elevation for help desk: temporary admin rights on the specific workstation being supported, expiring after 60 minutes

Days 76-90: Verification and Documentation

• Test that a compromised Tier 2 workstation cannot pivot to Tier 1 or Tier 0
• Test that Tier 0 admins cannot accidentally log into a workstation
• Document the new model — runbook for help desk, runbook for server admins, runbook for identity admins
• Train all admins on the new procedure
• Schedule quarterly review

Tiered admin closes the most common pivot path. It does not close:

• Compromise via Tier 1 application vulnerability (still need patching)
• Compromise via Tier 2 user account credential theft (still need MFA — see MFA bypass attacks)
• Compromise of cloud identity (Microsoft 365 admins need separate hardening — see ITDR coverage)

It is a foundational layer, not a replacement for the other layers.

For Texas SMBs without tiered administration: the Day 1-15 discovery is the highest-leverage starting point. Most organizations don't actually know how their admin credentials are used until they look. The discovery alone often reveals 5-10 quick wins (service accounts that should be removed, Domain Admins that should be Tier 1, RDP sessions that should not be happening).

Pair this with our 2026 PAM tools comparison for the endpoint enforcement layer, and our cybersecurity services for the broader program.

• Houston cybersecurity
• The Woodlands cybersecurity
• Sugar Land cybersecurity
• Austin cybersecurity