The security model described above presupposes the existence of a single domain within which the SAM on the domain primary and backup controllers holds the security information about all of the domain's users and groups. Workstations and servers within the domain need consult only the single SAM to authenticate users, obtain a Security Access Token, and thereby determine access rights. However, scaling, political, and geographical considerations often require the use of multiple domains, thus raising the possibility that users authenticated by one domain will need access to objects in a different domain. In such cases, one domain must be in a position to trust another or users will need to authenticate themselves to multiple domains. For example, if user BFranklin logged in to the Philadelphia domain, but needs a file in the Washington domain, one of two things must happen. Either BFranklin must have an additional account in the Washington domain and log into that domain separately, or else the Washington domain must trust the Philadelphia domain to securely authenticate and vouch for BFranklin. While it's theoretically possible to establish an account for a user in each domain for which that user needs to access resources, it is bad administrative and security practice. For one thing, it multiplies the administrative duties, creating needless extra work and allowing extra opportunities for errors. More important, however, having multiple accounts interferes with proper oversight of the user's privileges and undermines accountability. Because the user has a different Security Identifier for each domain account, it is more difficult to audit the user's actions. And if the user leaves the organization, finding and removing each of his or her domain accounts can be a less than reliable process. A sounder approach is to establish trust relationships among domains, thereby allowing the administrator to define user accounts once only. The following sections describe the nature and mechanics of inter-domain trust and describe some multiple-domain models.