Master of My Domain
The next step of the inspection was to see how the domain was configured. Surely, this couldn't be too bad...it's a relatively small shop. Guess what? I was wrong, wrong, wrong. Whoever installed the Windows NT servers must have been the same guy who ran the network cables. They had five servers, each one acting as a primary domain controller (PDC). Okay, if you're not a Windows NT person that may seem innocent enough. The trouble is that you can have only one PDC per domain. For the math-challenged in the group, that means they had five separate domains. Not exactly ideal for just 100 users. One domain would have sufficed.
Now in the crazy world of Windows NT 4 domains, you have to create a trust relationship between domains to access resources in other domains. For example, if I wanted to borrow 100 dollars from you (wait a minute, the stock market is still down; better make it a twenty). If you agree to loan me a twenty, you'd trust me with your money. You'd trust that I'd spend it on beer and lottery tickets, not something wacky like Enron or WorldCom stock. You would be the trusting partner, because you have the resource. I'd be the trusted partner because I want the resource.
So, if you log into the domain called DOMA and want to print to a printer in DOMB, DOMB must trust DOMA. Additionally, you still need permissions to the printer in DOMB.
There is, however, a sneaky, defeating way around this whole "trust thingy." If there's a user in both domains with the same account name and password, they can bypass the trust business and get onto accessing resources. The trouble here, however, is should the user's password change in either domain then they're out of luck.
My client was using this sneaky, defeating method, rather than the somewhat-preferred "trust thingy." The administrator of these domains created each user account in each domain by hand. No users can ever change their passwords, and their passwords never expire. And what happens when a user forgets their logon password? No problem, they've a list of every user's logon name and password hanging on a bulletin board by the coffee maker. Not exactly Fort Knox, eh?