Google Analytics uses a browser cookie as an identification mechanism. The GA cookie is used to uniquely identify the client across multiple pagesviews and visits.
By default, the cookie that Google Analytics sets is set on the highest-level domain possible. On a user’s first visit to your GA enabled website: subdomain.domain.com, Google analytics will set its identification cookie on domain.com.
In our case, this means that when a new user visits chhs.gmu.edu, GA sets their identification cookie on gmu.edu (not on the specific sub-domain). Because the cookie is set on the domain level (not the subdomain level), the same identification cookie is also available to any other subdomain of gmu.edu.
Because of this, even though each of our subdomains are separate websites, they are able to share the same GA identification cookie because they are all on the same domain.
More from the GA Developer Guide: Cookie Usage:
When using the recommended JavaScript snippet, analytics.js sets cookies on the highest level domain it can. For example, if your website address is blog.example.co.uk, analytics.js will set the cookie domain to .example.co.uk. Setting cookies on the highest level domain possible allows users to be tracked across subdomains without any extra configuration.
But this all assumes that you have not changed your cookieDomain from the default. See, for example, the Mason Roll-Up implementation example scripts.
Recommendation: don’t change your cookieDomain from “auto”.
Sidenote: recognize that the GA cookie identifies unique clients (browsers), not actual individual people. Anywhere in your GA reports that mentioned the word “users”, they are actually talking about clients.