"Digitally sign server communications (always)" "Digitally sign client communications (when possible)" "Digitally sign client communications (always)" Go to Start | Programs | Administrative Tools | Local Security Policy. Setting digital signatures to "always" is only really possible when you have a 100% Win2k or newer Active Directory domain.
I don't have a Win2k Domain Controller but the following is true on a member server and Win2k Pro. Warning: This hint lowers your network's security a bit, use at your own risk. Why all of this was so hard to find and/or figure out, I don't know - it seems pretty simple once I collected it all from about 10 different places. I suppose these same policies are found in a similar location in Windows 2000 Server, but I'm not going to reinistall it just to know.
You can ignore any errors about truncated strings. Start -> All Programs -> Administrative Tools -> Domain Controller Security Policy. I finally gave up and turned to the Domain Server for salvation. Seeking to end that kluge with my new Windows 2003 Server install, I hacked everything I could find on the OS X side to no avail.
I never did fix the "name or password is incorrect" error connecting via Samba to my Windows 2000 Server install, so I always passed data back and forth using an XP machine. Microsoft Windows Server has a some vaguely-worded options which must be disabled to allow OS X's Samba to connect.