GartnerGroup recommends training administrators and avoiding domains to address the security concerns that NT's complex domain structure creates. This point is well taken: Using Microsoft's domain models to implement an existing organization can be difficult and confusing. Many administrators (and even some Microsoft engineers) lack a complete understanding of how various NT components (e.g., workstations, member servers, and domain controllers) cooperate in a single- or multidomain environment. This incomplete understanding often leads to a more complicated and costly computing environment than necessary. For example, suppose a department requires full control over who accesses the department's data. (Human resourcesHRdepartments commonly need such control.) Most IS departments meet these requirements by creating a new resource domain for the department, with trust relationships to the master domain. However, if you really understand NT security, you can meet these requirements without a second domain. With fewer domains, you enhance security and reduce costs because you have fewer trust relationships to manage and fewer domain controller systems to purchase and maintain, and you have less potential for inconsistent administration practices and policy between domains.