The primary advantage of the single domain model is that administrators need to define user accounts only once. Users need to log in only to the single domain and the company can centralize user account management. Moreover, the responsibility for managing users and groups is separate from resource management, allowing for some delegation and decentralization of responsibility. Such an arrangement also makes it easy to assign access rights by granting these rights to a domain group and then adding users to the group, instead of granting rights to each individual user. And the number of individual trust relationships to manage is equal to the number of resource domains and therefore relatively small. While Microsoft says that a single NT domain can't handle more than about 40,000 users, in reality, customers find that domains often can't handle far fewer than 40,000 users, making it necessary to deploy multiple administrative domains. Organizations that need to establish multiple domains can use the multiple master domain model, as shown in Figure 4. Like the single master domain model, this model segregates administrative domains from resource domains, the latter trusting the former. The model differs in that the administrative domains may or may not trust one another. For example, the human resource domain may hold confidential employee information (i.e., a local resource in an administrative domain) and will therefore not trust other administrative domains, even though these domains may trust the human resource domain.