When you attempt to create (or delete) a trust between a Windows NT and Windows 2000 domain (AKA down-level trust), you receive:

The account is not authorized to log in from this station.

NOTE: Existing down-level trusts may not authenticate users from the trusted domain. Some users receive a message indicating that the client cannot find the domain.

If the Windows 2000 domain controller has enabled the Secure channel: Digitally encrypt or sign secure channel data (always) local policy, this error will occur because Windows NT does NOT support this secure channel communications.

To turn off the policy:

1. Open Local Security Policy in the Administrative Tools folder.

2. Navigate through Local Policies / Security Options.

3. Double-click Secure channel: Digitally encrypt or sign secure channel data (always) and set it to Disabled.

4. Press OK.

NOTE: Alternately, see How do I administer Group Policy objects (GPOs) in a Windows 2000?