Active Directory Tier Zero in 2026: The Privilege Boundary Every AD Audit Must Check

# Active Directory Tier Zero in 2026: the privilege boundary every AD audit must check

"Our domain admin logs into her Windows laptop every day." This was a real quote from a client IT lead in January. He said it like it was normal. Because in his environment, it was normal.

We opened a meeting request, brought in the security team, and walked through what that means. Any malware on that laptop steals her Kerberos TGT. That TGT is a domain admin ticket. Your entire Active Directory is compromised by a single piece of endpoint malware.

Microsoft has been telling people to stop doing this since 2016. Ten years. We still find it everywhere. This post is the tier zero audit procedure we run on every AD engagement. What counts as Tier 0, what breaks the boundary, and the exact controls that fix it.

Every ransomware incident we see that involves domain admin compromise traces back to tier boundary violations. This is what Tier 0 is, what breaks it, and the audit procedure we run to find the gaps.

#What counts as Tier 0

Tier 0 is the set of assets that have effective control over the entire Active Directory forest. Compromise any Tier 0 asset → compromise the forest → full organizational compromise. Tier 0 is small by design, but the default configurations of many enterprise tools inadvertently expand it.

Tier 0 assets always include:

• Domain controllers. Obvious.
• Read-only domain controllers (RODCs). Still in scope. Compromise gives meaningful attack capability.
• AD FS (Active Directory Federation Services). The identity bridge to cloud. Compromise lets an attacker forge SAML assertions for any federated SaaS.
• Azure AD Connect / Entra Connect. Synchronizes AD with Microsoft Entra. Its service account is effectively Tier 0.
• PKI infrastructure. If you run Active Directory Certificate Services (ADCS), the CA servers are Tier 0. Multiple tools (Certify, Certipy) exploit ADCS misconfigurations to persist Tier 0 access.
• Group Policy management. Servers running GPMC with Domain Admin privileges, the SYSVOL share, and any system that can modify GPOs.

Tier 0 assets often include (these get missed):

• PAM (Privileged Access Management) platforms. CyberArk, Delinea, BeyondTrust. If PAM holds Tier 0 credentials, PAM is Tier 0.
• Backup solutions with AD backup privileges. Veeam, Rubrik, Commvault. A backup with SYSTEM access to domain controllers is Tier 0.
• Vulnerability scanners with authenticated DC scanning. Tenable Nessus, Qualys, Rapid7 with AD credentials for authenticated scans.
• Endpoint management platforms with DC deployment rights. SCCM / ConfigMgr, Intune with device management on DCs.
• Monitoring platforms with SYSTEM-level collectors on DCs. SolarWinds (the 2020 supply chain poster child), any EDR that loads kernel modules on DCs.
• Jump servers / bastion hosts used for DC administration. If an admin uses a jump server to RDP into DCs, that jump server becomes Tier 0.

#The tier boundary violations we see

#Violation 1: Domain Admin used for daily work

An IT director has a regular user account and a DA account. In theory they use the DA account only for elevated tasks. In practice, they remember their DA credentials, run tools that prompt for admin. And end up using DA for routine work including reading email and browsing the internet from the DA context.

Every time the DA account authenticates to a Tier 2 (workstation) asset, the Kerberos TGT is cached on that workstation. Any attacker who later compromises that workstation. Via phishing, drive-by, etc. Can Mimikatz the cached credentials and have Tier 0 access.

#Violation 2: Tier 0 assets joined to management networks

Best practice: Tier 0 assets live on a dedicated management network, accessed only from Tier 0 workstations (PAWs. Privileged Access Workstations). In reality, DCs often sit on the same network as management servers, monitoring infrastructure, and jump servers. Sometimes accessible from the general corporate LAN.

An attacker who compromises any Tier 1 server can often reach DCs directly and attempt Kerberos attacks, LDAP abuse, or authenticated scanning.

#Violation 3: Service accounts with SPNs and weak passwords

Service accounts that run services with Service Principal Names (SPNs) can be Kerberoasted. The attacker requests a service ticket, extracts the hash, offline cracks the password. Weak service account passwords (under ~14 characters or on wordlists) crack in hours.

Service accounts often have privileged rights. DC replication, Domain Admin, Organization Management in Exchange. A cracked service account = DA equivalent.

#Violation 4: Stale privileged group memberships

Domain Admins, Enterprise Admins, Schema Admins, Account Operators, Backup Operators, DNS Admins. These groups accumulate members over time. Former admins, legacy service accounts, "temporary" permission grants that were never removed.

Every extra member is an extra attack surface. Every inactive account with DA membership is a free Tier 0 credential if an attacker can grab the password hash.

#Violation 5: ADCS misconfiguration

Active Directory Certificate Services was the quiet Tier 0 path for years. Certify, Certipy. And related tooling exploit specific misconfigurations (ESC1 through ESC11+) to issue certificates authenticating as any user, including Domain Admin.

If your ADCS installation has any template with both "Enrollee Supplies Subject" and a signing purpose that enables authentication, it's an ESC1 vulnerability. Enumerated in seconds with certipy find.

#Violation 6: Over-permissive GPO delegation

Group Policy Objects can be delegated to non-Tier-0 users for management. Anyone with Edit permission on a GPO linked to a Tier 0 OU can weaponize the GPO to run code as SYSTEM on every Tier 0 asset.

Common pattern: helpdesk has "Delegation" on an OU for workstation management. The OU GPO inheritance reaches into Tier 0. Helpdesk effectively owns the domain.

#Violation 7: Credential caching on jump hosts

The jump server used to administer DCs caches credentials as admins log in. If the jump server hasn't been rebuilt in years (common), credentials from multiple admin sessions are cached there. Compromise the jump server, harvest all the cached credentials, cascade into Tier 0.

#Violation 8: NTLM and legacy protocols

NTLM authentication against DCs allows relay attacks, SMB signing bypass, and various Kerberos falling-back-to-NTLM attacks. In environments where NTLM isn't disabled, Responder-style attacks reliably capture credentials from Tier 1 assets that can then be relayed against DCs.

#The audit procedure

When we audit an Active Directory environment for Tier 0 hygiene, we run this sequence:

#Phase 1: Enumerate Tier 0

Identify every asset that has effective control over the forest. Starting points:

# Get members of privileged groups (run with low-privilege user)
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-ADGroupMember -Identity "Enterprise Admins" -Recursive
Get-ADGroupMember -Identity "Schema Admins" -Recursive
Get-ADGroupMember -Identity "Backup Operators" -Recursive
Get-ADGroupMember -Identity "Account Operators" -Recursive
Get-ADGroupMember -Identity "Server Operators" -Recursive

# Get users with replication permissions (DCSync-capable)
Get-ACL "AD:DC=contoso,DC=local" | Select-Object -ExpandProperty Access | Where-Object { $_.ActiveDirectoryRights -match "Replicating" }

# Find accounts with SPNs (Kerberoastable)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

# Dump BloodHound data for comprehensive mapping
# SharpHound -c All -d contoso.local

#Phase 2: BloodHound analysis

BloodHound (or the newer BloodHound Community Edition / BloodHound Enterprise) visualizes attack paths. After collection:

• Find Shortest Paths to Domain Admins. How many hops from an average user to DA?
• Kerberoastable Accounts with Paths to Domain Admins. Any crackable service account that leads to DA?
• Shortest Paths from Kerberoastable Users. Same thing, different angle
• Users with DCSync Privilege. Anyone who can replicate the domain, regardless of DA membership
• Domain Admins from Unprivileged Users. The full attack graph

A healthy Tier 0 environment has attack path depths of 5+ hops for any reasonable non-admin starting point, with no Kerberoastable user within 2 hops.

#Phase 3: ADCS enumeration

# With Certipy (modern replacement for Certify)
certipy find -u user@contoso.local -p password -dc-ip 10.0.0.1 -output certipy-audit
# Look for ESC1 through ESC11 findings in output

Any ESC vulnerability is a path to forest compromise.

#Phase 4: Service account audit

• Password age > 12 months for privileged service accounts
• Service accounts with never-expiring passwords
• Service accounts with DA / EA membership
• Service accounts with SPNs (Kerberoastable)
• Password complexity against current dictionary attacks (use kerbrute or similar)

#Phase 5: GPO delegation audit

• Export all GPO delegation via PowerShell
• Identify delegations to non-Tier-0 principals
• Check where delegated GPOs are linked
• Validate no inheritance reaches Tier 0 assets

#Phase 6: Tier 0 asset isolation audit

• Which networks can reach DCs?
• Which workstations can RDP to jump servers?
• Which accounts can log on interactively to DCs?
• Is "Protected Users" group used for Tier 0 admins?
• Are authentication policies and silos configured?

#Remediation priorities (if findings are fresh)

1. Immediate: rotate Domain Admin passwords. If any DA credential has been used on a Tier 1 or Tier 2 asset in the last 30 days, rotate.

1. Immediate: disable accounts identified as unnecessary in privileged groups. Start with Account Operators, Backup Operators, Server Operators. These often have stale members.

1. Short-term: deploy Protected Users group for all Tier 0 admins. Protected Users restricts NTLM, caches, and Kerberos delegation. Blocks multiple attack paths automatically.

1. Short-term: disable NTLM. At minimum, set Protected Users membership. Ideally audit NTLM usage and remove it entirely over 3-6 months.

1. Medium-term: implement PAWs. Dedicated admin workstations for Tier 0 work. Physical or virtual. Can't browse internet, can't receive email, can't access Tier 2 assets.

1. Medium-term: Authentication Policies and Silos. Silo Tier 0 credentials to only work on Tier 0 assets.

1. Medium-term: fix ADCS. Remediate any ESC findings. Enable CA audit logging.

1. Long-term: separate forest or Red Forest (ESAE) pattern for highest-value environments. Microsoft pivoted away from ESAE toward Privileged Access Management with cloud identity, but the concept. Isolated admin-only forest. Still applies.

#Tooling we use on engagements

• BloodHound Community Edition / BloodHound Enterprise. Attack path analysis
• PingCastle. General AD hygiene scoring (also available free for small envs)
• Purple Knight. Defensive AD audit from Semperis
• Certipy / Certify. ADCS enumeration and exploitation
• Rubeus. Kerberos ticket manipulation
• Mimikatz. Credential extraction (we run in controlled environments)
• Impacket. Network-level attack simulation
• Microsoft AD Optimization Assessment. Microsoft's own tooling if you've Premier / Unified Support
• Tenable Security Center with authenticated scans. Finds generic misconfigurations

#Compliance mapping

• NIST 800-171 / CMMC 2.0. AC (Access Control) family practices
• NYDFS 23 NYCRR 500. Section 500.07 (Access Privileges), 500.14 (User Access Review)
• ISO 27001:2022. Annex A.5.15, A.5.18, A.8.2
• SOC 2. CC6 (Logical Access)
• HIPAA. 164.308(a)(4) (Information Access Management)

Audit findings from a Tier 0 review map directly to these frameworks.

#What we deliver

Our Active Directory audits produce:

1. Tier 0 asset inventory with justification and boundaries
2. Attack path report from BloodHound data with prioritized remediation
3. Privileged account inventory with stale account and weak credential identification
4. ADCS security assessment with ESC findings
5. GPO delegation audit
6. Service account hygiene report
7. Authentication protocol audit (NTLM, Kerberos)
8. Remediation roadmap with priority + owner + target date

Typical engagement: 2-4 weeks for a mid-size environment (100-1000 DC-joined systems).

#Resources

• Microsoft Tier Model: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material
• BloodHound: https://bloodhound.specterops.io/
• SpecterOps training (the team behind BloodHound): https://specterops.io/training/
• Certipy ESC reference: https://github.com/ly4k/Certipy
• Trimarc Security AD hygiene research
• Microsoft Privileged Access Management documentation

#Hire Valtik Studios

Active Directory audits are high-value engagements for any organization running Windows infrastructure. We find Tier 0 violations in almost every environment we review because default configurations are lenient and tier model implementation is hard. If you're running AD and haven't had a focused Tier 0 audit in 18+ months, the gaps are there.

Reach us at valtikstudios.com.