We're setting up a Windows NT 4.0 environment that will provide file and print services for an important research project. The environment will consist of one domain (the research domain) with two domain controllers (DCs) and a set of file and print servers. We don't want to define a trust relationship between the research domain and our NT 4.0 production domain. Although confidentiality and strong access-control enforcement are important aspects of this project, we want to give two or three key users easy access to the research environment. These users already have NT 4.0 user accounts in our NT 4.0 production domain. Can we give them single sign-on (SSO) access to the research domain when they're logged on to the production domain even if we don't define a trust relationship between the two domains?
Yes. NT 4.0 lets you provide SSO access between two domains, between a standalone workstation or a server and a domain, or between two standalone machines (workstations or servers), as long as the user account and the associated password in both environments are identical. In your case, SSO access between the research domain and the production domain will work for your key accounts if their accounts and passwords are the same in both domains. Administrators who have to deal with multiple standalone domains and want to ease day-to-day administration often use this trick.
From a security perspective, this feature is a security hole because it presents a typical SSO key-to-the-kingdom problem: If you've logged on successfully to one domain, you get transparent access to the other domains. Many security-minded people find this situation unacceptable; after all, the accounts in the two domains are different security entities that different security authorities govern. And remember that if intruders can get through the first line of defense, they can access all network resources.