While an enterprise is free to create any trust relationships it desires among its domains, there are some well-established models for organizing these domains. These are the single domain, master domain, multiple master domains, and complete trust models, and the choices among them depend on the organization's size and division of responsibilities, as we explain later in this section. We include the single domain model--which entails no trust relationships at all--for the sake of presenting a complete comparison of options. We originally discussed these models in the Network Strategy Report "NT Server 4.0." The single domain model, as shown in Figure 3, deploys one domain, the administrative domain, which is solely for the purpose of holding user accounts and authenticating users. All other domains, known as resource domains, actually contain the working network resources, such as file systems, printers, and application services. The resource domains trust the administrative domain, since the latter authenticates the users logging in and generates their session Security Access Tokens. (The arrows in Figure 3 point from the trusting resource domains to the trusted domain.) There is no need for the administrative domain to trust any of the resource domains, or for the resource domains to trust one another.