samba - Apr 2002 - Windows 2000 and domain users

First the details:

Samba 2.2.3a running on Solaris 8 set up as a PDC.
Various systems running Windows 95/98/NT 4.0.

I've had absolutly no serious problems running
Samba in this configuration for the last couple
of years.  I've upgraded Samba as the new versions
have come out, and now need to integrate some new
Win2k boxes.

Problem is, when I add the new machines to the domain,
the group "DOMAIN\unix_group.2147483404" gets added to
both the Administrators group and Users group.  So domain
users start with Administrator rights!  If I remove
the "DOMAIN\unix_group.2147483404" group from the Administrators
group, it mucks thinks up bad enough to require a reinstall
of Win2k.  I'd like to think that this is not a required
feature of using Samba with Win2k.  I would like to restrict
users to the same rights as normal users, so I can lock down
who can install software on each individual machine.  As it
stands now, I can't do that.

I'm including the global section of my smb.conf, if it
helps.

Thanks,

-Jim

*************************************************
Jim Kreuziger
jkreuzig@uci.edu
*************************************************

# Global parameters
[global]
#       include = /samba/current/lib/smb.conf.%U
        workgroup = <DOMAIN>
        preexec = csh -c `echo /usr/local/samba/bin/smbclient \
                                -M %m -I %I` &
        server string = Samba %v on (%L)
        security = user
        domain logons = yes
        encrypt passwords = Yes
        password level = 3
        log level = 1
        log file = /samba/current/var/log.smbd.%m
        wins support = Yes
        name resolve order = wins hosts lmhosts bcast
        dns proxy = yes
        deadtime = 30
        keepalive = 120
        client code page = 437
        os level = 65
        preferred master = Yes
        domain master = Yes
        guest account = samba
        invalid users = root daemon bin sys lp smtp uucp nuucp listen dcs
consult dumper nobody
#       invalid users = daemon bin sys lp smtp uucp nuucp listen dcs
consult dumper nobody
        veto oplock files = /*.mdb/*.dbm/*.doc/*.xls
        socket options = TCP_NODELAY IPTOS_LOWDELAY
        getwd cache = yes
        logon script = %U.bat
        logon path = \\server\profile\%U
        remote announce = <IP ADDRESS>/<DOMAIN>
        utmp = True
#       utmp consolidate = yes
        username map = /samba/current/lib/usermap.txt
#       config file = /samba/current/lib/smb.conf.%U