AD Tier-0 in 90 Days: Mid-Market Edition

Most published guidance on Active Directory Tier-0 implementation reads as if every shop is a 50,000-user enterprise with a dedicated identity team. RedForest. JEA. PAW. Multi-forest trust models. That guidance is excellent for the environments it was written for. It is wildly wrong for the 100–500-user mid-market shop where Tier-0 is still the highest-leverage control they can deploy — but where the enterprise blueprint costs more in operational overhead than it returns in risk reduction.

This post is the mid-market edition. We'll define Tier-0, walk through what to skip from the enterprise playbook and why, name the four controls that close 80% of the gap, and lay out a 90-day rollout plan that's been run enough times to know where the surprises are. It pairs with our AD Audit service — the audit is the prerequisite, the implementation is what this post covers.

What is Tier-0?

Tier-0 is a security-architecture term Microsoft codified in their Active Directory Administrative Tier Model. The definition is short and worth memorizing:

What's in Tier-0

• Domain controllers — every DC in every domain in the forest
• The KDC — Kerberos key distribution center; lives on every DC
• Schema masters and other FSMO role holders — Forest Schema Master, Domain Naming Master, RID Master, PDC Emulator, Infrastructure Master
• GPO controllers — any system or account that can modify GPOs linked at domain or DC scope
• Privileged groups — Domain Admins, Enterprise Admins, Schema Admins, Account Operators, Backup Operators, Print Operators, Server Operators
• Service accounts with Tier-0 rights — the legacy "we needed Domain Admin to install this in 2012" service accounts
• Backup systems with read access to AD — anything that can extract the ntds.dit and the SYSTEM hive
• Identity sync services — Entra Connect, the AD Connect service account, ADFS if present
• PKI infrastructure — enterprise CA, certificate templates that issue domain-controller or smart-card certificates

What's not in Tier-0

Member servers, workstations, file shares, application service accounts without Tier-0 rights, end-user accounts, and the SQL Server backing line-of-business applications. These are Tier-1 (servers and applications) and Tier-2 (workstations and end-users). They matter, but they're a different layer of the model and a different control set.

Microsoft's enterprise guidance vs mid-market reality

Microsoft's published guidance on Tier-0 protection assumes an enterprise scale. The full version includes:

• Enhanced Security Administrative Environment (ESAE) / RedForest — a separate, dedicated forest for administrative accounts, with one-way trust from production forest to admin forest. The admin accounts live in a forest that production never authenticates against.
• Just Enough Administration (JEA) — PowerShell role-based delegation that lets administrators run only specific cmdlets against specific systems, with full session transcription. Replaces broad Domain Admin grants with task-scoped grants.
• Privileged Access Workstations (PAW) — physically or logically separate workstations used only for Tier-0 tasks. No internet, no email, no productivity apps, no path from a phishing email to a Tier-0 session.
• Tiered logging infrastructure — SIEM, UEBA, and dedicated security operations on Tier-0 events.
• Hardware security modules — HSMs for the AD CS root, the AD root keys, and the most sensitive service-account credentials.

Each item on that list is correct. The full deployment costs $200K+ in tooling, hardware, and labor before the first administrative task gets executed in the new model, and it takes 6–12 months to build. For an enterprise with 5,000+ users and a dedicated identity team, that math works. For a mid-market shop with 100–500 users and a 4-person IT team, it doesn't.

The mid-market simplifications (what to skip and why)

Skip RedForest — use PIM elevation in the existing forest

RedForest's value comes from the trust isolation: production cannot authenticate the admin forest, so a credential theft from a phished workstation can't directly grant Tier-0 access. The same outcome — admin credentials are not sitting in standing membership of Domain Admins where they can be lifted by an attacker — is achievable with Privileged Identity Management (PIM) in the existing forest.

PIM makes Tier-0 group membership just-in-time: no account is a standing member of Domain Admins; eligible accounts request elevation, complete a phishing-resistant MFA challenge, and receive the membership for a bounded window (typically 1–4 hours), with full audit. The credential exposure window for any given Tier-0 account is the elevation window, not 24x7.

The trade: PIM doesn't isolate the admin identity from production sign-ins the way RedForest does — the admin account exists in the production forest and could in principle be targeted there. The mitigation is the next three controls: separate admin accounts, phishing-resistant MFA, and Conditional Access gating admin sign-ins to compliant managed devices. With those in place, the residual risk vs. RedForest is small enough that mid-market shops are accepting it deliberately, not by default.

Skip JEA initially — PIM + admin-account separation closes 80% of the gap

JEA's value is task-scoped delegation: an admin who needs to restart a print spooler doesn't need Domain Admin — they need a JEA-scoped session that can run Restart-Service Spooler on the print server. Brilliant in concept, expensive in operations. Every administrative task needs a JEA role definition, every role needs review, every change to operations needs a role update.

For a mid-market shop, the same outcome — admins don't have standing broad rights for routine tasks — is largely achieved by:

1. Separating admin accounts from daily-use accounts (an IT staffer's daily account does not have Domain Admin)
2. PIM-eligible Tier-0 group membership instead of standing
3. Separate Tier-1 admin accounts for member-server work, distinct from Tier-0 accounts
4. Local Administrator Password Solution (LAPS) for member-server local admin (no password reuse, no domain admin needed for local fixes)

JEA earns its keep in environments where you have hundreds of routine administrative tasks delegated across many people. For 100–500-user shops with a 4-person IT team, the four bullets above close most of the gap. Revisit JEA in year 2 if and when the operational scale justifies it.

Use PIM, not PAW, for Tier-0 admin (or a PAW-lite Cloud PC)

Full PAW (a dedicated, hardened, internet-isolated workstation per Tier-0 admin) is expensive in hardware, expensive in operations, and friction-heavy in daily use. Mid-market admins resist it, and the resistance leads to shadow workflows that defeat the control.

The mid-market alternatives that work:

• Windows 365 Cloud PC for Tier-0 admin work — a managed virtual desktop, hardened, accessible only via the admin's Tier-0 account, gated by Conditional Access requiring compliant device + phishing-resistant MFA + trusted location. Daily-work device stays separate; the Cloud PC is the Tier-0 surface.
• PAW-lite — a managed physical or virtual workstation reserved for Tier-0 work, joined to Intune, locked down via security baselines, no productivity apps installed. Less ceremonial than full PAW but adequate for mid-market threat models.

Either approach delivers the core control: Tier-0 sign-in does not happen from the same device that handles email and web browsing. That single property closes the most common mid-market AD compromise vector (phishing → workstation → credential theft → lateral to Tier-0).

Focus on 4 controls, not 40

The full Microsoft Tier-0 control set is dozens of items deep. For mid-market, four controls deliver the bulk of the value:

1. Separation of admin accounts. Every IT staff member has a separate Tier-0 account, used only for Tier-0 tasks, never for daily work.
2. Tier-0 group membership review. Domain Admins, Enterprise Admins, Schema Admins membership is reviewed quarterly. PIM eligibility is the membership state; just-in-time activation is the working state.
3. Admin-tier MFA. Phishing-resistant MFA (FIDO2 security key or Windows Hello for Business) enforced on every Tier-0 sign-in. SMS and OTP are explicitly excluded — they don't survive the threat model.
4. Logging on all DC auth events. Every authentication on every domain controller flows to a SIEM. Alert rules cover unusual hours, unusual source IPs, Tier-0 group membership changes, and any administrative action that touches GPOs, schema, or privileged-group membership.

The other 36 controls are real. They are not zero-value. They are second-order improvements that earn their keep when the four primary controls are in place and operating cleanly. Sequence matters: do the four first, then expand.

The 90-day rollout plan

Twelve weeks, four phases, sequenced to deliver each of the four controls operationally — not just in design.

Weeks 1–2 — Discovery

The audit is the prerequisite for the implementation. If the AD audit hasn't been done, the implementation is operating on assumptions. What the discovery phase produces:

1. Current admin-account inventory. Every account currently a member of any Tier-0 group. Owner, daily use vs. admin use, last sign-in, MFA state, password age, service vs. interactive.
2. GPO audit. Every GPO linked at domain or DC scope. Who can edit each GPO. Any GPO with delegated edit rights to non-Tier-0 accounts.
3. Current DC posture. Forest and domain functional levels. DC count and OS version. Replication health. FSMO role placement. DC-side audit policy. Which DCs are physical vs. virtual, and where virtual DCs run (hypervisor admin is implicit Tier-0 — confirm or remediate).
4. Service-account Tier-0 grants. Every service account with Domain Admin or equivalent rights. Whether each is genuinely required or a 2012-era over-grant.
5. Backup-system access. Backup tools' service accounts and what they can read.

Weeks 3–4 — Design

1. Target admin-tier model. One Tier-0 account per IT staff member. One Tier-1 admin account for member-server work. Daily-use account is Tier-2 only. Naming convention, OU placement, GPO scoping.
2. PIM eligibility groups. Eligible memberships for Domain Admins, Enterprise Admins, Schema Admins. Standing membership reduced to break-glass accounts only (one or two named accounts, vault-stored credentials, MFA on activation).
3. MFA enforcement plan. Phishing-resistant MFA enrolled per admin. Conditional Access policy requiring it for all Tier-0 sign-ins. Break-glass exception process documented.
4. Logging architecture. SIEM target (existing customer SIEM if present, or Microsoft Sentinel, or Defender for Identity). DC audit policy updated. Alert rules drafted.
5. Tier-0 admin device strategy. Cloud PC or PAW-lite, scoped per admin. Conditional Access gating Tier-0 sign-in to that device.

Weeks 5–8 — Pilot

Pilot the model with the IT team itself before pushing to any other admins. The IT team is the right pilot because they will discover every operational friction point, and they have the context to feed back the fixes.

1. Separate admin accounts created for each IT staffer. Old admin grants on daily-use accounts removed. The team operates under the new model for 4 weeks before broader rollout.
2. PIM eligibility activated for the IT team's Tier-0 accounts. Standing Domain Admin membership removed for everyone except the break-glass accounts. Activation friction tested against the team's actual daily admin workflow.
3. Phishing-resistant MFA enrolled on every Tier-0 account. Hardware tokens shipped, Windows Hello provisioned where appropriate. CA policy enforced for the pilot group.
4. Logging operational — DC auth events flowing to SIEM, alert rules in audit-only mode, false-positive baseline established.
5. Cloud PC or PAW-lite deployed for the pilot admins. CA policy gates Tier-0 sign-in to the managed admin device. Daily-work device stays separate.

Weeks 9–12 — Cutover and monitoring

1. Cutover — any remaining admins (third-party MSP staff, vendor service accounts, contractors with elevated rights) brought into the model on the same pattern. Service-account rights pruned to least privilege. Stale Tier-0 grants removed.
2. Auth event monitoring moves from audit-only to active. Alert rules tuned based on the pilot's false-positive baseline.
3. Anomaly alerts — Tier-0 sign-in from non-managed device, Tier-0 sign-in outside business hours, group membership change in Tier-0 groups, GPO edit at domain or DC scope.
4. First review cycle — quarterly review of Tier-0 group membership, PIM activation logs, MFA coverage, alert disposition. Document the cadence; assign the owner.
5. Formal acceptance — the four controls operating, documented, and owned. Implementation project closes; ongoing operations begin.

What it costs

Pricing transparency, in the same frame as our other fixed-fee engagements:

• AD Audit (prerequisite) — fixed-fee discovery, $8K–$15K depending on forest size and complexity. Read-only by design. Outputs the discovery deliverables listed in weeks 1–2 above. Available as a standalone engagement.
• Tier-0 implementation (90 days) — senior-led, fixed-fee, $35K–$60K for 100–500-user environments. Includes design, pilot, cutover, and the first review-cycle handoff. Excludes net-new licensing (Entra ID P2 for PIM, Defender for Identity if not already licensed, Cloud PC if chosen as the admin device).
• Optional add-ons — service-account remediation (separately scoped from audit findings), GPO hygiene cleanup, DC retirement and AD upgrade if discovery surfaces them, SIEM integration if no SIEM exists.

The fixed-fee structure exists because mid-market buyers are correctly skeptical of T&M scopes on identity work. The audit phase exists to convert assumptions into facts before the implementation phase commits.

What you don't get

Honesty about scope is part of the trust model. The mid-market 90-day Tier-0 implementation does not deliver:

• Full ESAE / RedForest — separate admin forest with one-way trust. If your threat model requires this (top-tier defense work, intelligence community, certain regulated finance), you're not in the mid-market band — you're a Tier-1 systems integrator's customer.
• Comprehensive JEA deployment — task-scoped PowerShell delegation across all admin tasks. Mid-market revisits this in year 2 if operational scale justifies it.
• Hardware-isolated PAW infrastructure — dedicated physical workstations per admin with hardware tokens, network isolation, and full session recording. The Cloud PC / PAW-lite alternative gets you the core control without the hardware lift.
• 24/7 SOC monitoring of Tier-0 — the alert rules are operational, but the after-hours response is on your team or your existing managed-detection vendor, not on the implementation engagement.
• HSM-backed credential storage — the AD CS root, AD root keys, and most sensitive credentials remain in software-based storage. HSM is a separate project for environments that need it.

If your environment needs the full enterprise package, the right partner is a large systems integrator with a dedicated identity practice — Mandiant, MNP, ATAK, Optiv, the Big Four advisory arms. They are excellent at enterprise-scale identity. They are also expensive, slow, and overkill for 100–500-user shops. Pick the partner that fits the scope.

Common mistakes we see at mid-market scale

Trying to do RedForest on a mid-market budget

A mid-market shop attempting a partial RedForest — an admin forest that they don't fully operate, that's missing the supporting infrastructure, that adds complexity without delivering the isolation — ends up worse off than the same shop doing the four-control mid-market model cleanly. Don't half-build the enterprise pattern. Build the mid-market pattern fully.

Treating "we use MFA" as Tier-0 protection

Push-notification MFA does not survive the threat model for Tier-0 accounts. Phishing-resistant MFA (FIDO2, Windows Hello for Business, smart-card) is the bar. Anything else is a partial control that reads as a full control on the audit page and isn't.

Letting service accounts retain Domain Admin "because the install needs it"

Some service accounts truly require Domain Admin. Most don't — they were granted Domain Admin in 2012 because nobody knew the actual minimum-required permission and Domain Admin worked. Audit each one. The pruning exercise is unglamorous and high-leverage.

Skipping the discovery phase

Tier-0 implementation built on assumptions of the current state lands in the wrong place. The audit phase exists to convert assumptions into facts. Two weeks of discovery saves four weeks of mid-implementation rework, every time.

Treating Tier-0 as a one-time project

The four controls are not "deploy and walk away." Quarterly Tier-0 group membership review, PIM activation log review, MFA coverage check, and alert disposition review are the operational cadence. Bake the review cadence into the implementation; assign the owner; keep the schedule. Tier-0 hygiene degrades silently if it's not actively maintained.

Related reading

• The Kerberos hygiene piece that pairs with Tier-0 work: Kerberos RC4 April 2026 enforcement: mid-market triage runbook.
• If your AD forest reads "Windows Server 2016" functional level with all 2019/2022 DCs: AD functional level on Windows Server 2019/2022: not stuck at 2016.
• If your AD modernization is part of an M&A integration: Field Notes: M&A 2-Tenant Merge in 60 Days — Tier-0 hygiene work often surfaces during tenant consolidation.
• If you're sequencing Tier-0 alongside Conditional Access rollout: Copilot readiness: the 12,000-permission problem covers the cross-cutting permission inventory work.
• If GovCon compliance is part of the driver: GCC High before CMMC Phase 2 — Tier-0 controls map directly to NIST 800-171 access-control requirements.
• Service detail: Active Directory Audit.
• Service hub: Identity, Security & Compliance.
• Industry detail: Defense Contractors.

Sources and further reading

• Microsoft Learn — Privileged Access Model
• Microsoft Learn — Privileged Access Deployment
• Microsoft Learn — Privileged Identity Management overview
• Microsoft Learn — Securing privileged access
• Microsoft Learn — Microsoft Defender for Identity

The 30-second version

Active Directory Tier-0 is the assets whose compromise equals full domain compromise. Microsoft's enterprise guidance — RedForest, JEA, full PAW — is correct for 5,000+ user environments and overkill for 100–500-user shops. The mid-market right-sized model uses PIM instead of RedForest, separate admin accounts plus PIM instead of full JEA, Cloud PC or PAW-lite instead of full PAW, and four primary controls (separated admin accounts, PIM-eligible Tier-0 membership, phishing-resistant MFA, DC auth event logging) instead of forty. Twelve weeks, fixed fee, closes ~80% of the gap at under 25% of enterprise cost. The remaining 20% is real but not proportionate to mid-market threat models.

If your AD posture hasn't been audited recently and you'd like a senior engineer to scope the audit and the Tier-0 implementation, the project intake form takes about three minutes. Two-business-day response with scope and a fixed-fee range.

Pro IT NW does senior-led identity work for mid-market and regulated organizations. Vendor-neutral. Labor-only. We don't resell Microsoft licensing, hardware tokens, or third-party identity tooling — we recommend the right configuration for your environment and you procure directly.