The smallest circle of administrators on a domain, these accounts are the most vital in an organization. They contain the permissions required to view all the user passwords.
Guard these accounts with a sense of shear ferocity
Tier 0 administrators have the ability to access the ntds.dit file on a Domain Controller. If someone or something can access to the ntds.dit file, that person or service is considered a Tier 0 administrator.
Any part of the environment that has access to control the domain controllers is considered part of Tier 0.
The ntds.dit file is the data store for all the user names and passwords in an active directory domain. This ntds.dit file is so important because it holds all the users and all the passwords of an organization.
This file is the one thing that rules the domain. People that control this file can get to any type of data: Research data, PII, trade secrets. The people that can access this file can read every single email inside an organization.
The number of people that can access this file needs to be as small as possible. This file needs to be secured.
Access to the ntds file can come on many different manners: applications installed the servers, agents or services running on the servers, scheduled task or scheduled jobs, hard disk administrators, backup administrators. The list goes on.
This reference picture above is a great place to start to understand how many Tier 0 administrators, not just domain administrators, an organization might have. By focusing on all the separate areas that control this precious file, an organization can begin to identify areas he or she needs to protect.