How to register exclusive users to child-sites of a MS network?

By default, when a standard WP install is converted to MS, the system will force registration from any child-site to the main site, which in turn allows this registered user to become the default user of ANY child-site within that network.
This is highly undesired if we wish to maintain client sites using a MS with mapped domains.
How does one ensure that the user registered for one client (a particular child-site) cannot log in into the site of any other client/s (any other child site/s) with the same regsitration credentials?
I am sure that wordpress.com or edublogs allows individual blog managers to have their own exclusive users. How is this managed?