When you attempt to create (or delete) a trust between a Windows NT and Windows 2000 domain (AKA down-level trust), you receive:
The account is not authorized to log in from this station.
NOTE: Existing down-level trusts may not authenticate users from the trusted domain. Some users receive a message indicating that the client cannot find the domain.
If the Windows 2000 domain controller has enabled the Secure channel: Digitally encrypt or sign secure channel data (always) local policy, this error will occur because Windows NT does NOT support this secure channel communications.
To turn off the policy:
1. Open Local Security Policy in the Administrative Tools folder.
2. Navigate through Local Policies / Security Options.
3. Double-click Secure channel: Digitally encrypt or sign secure channel data (always) and set it to Disabled.
4. Press OK.
NOTE: Alternately, see How do I administer Group Policy objects (GPOs) in a Windows 2000?