I posted this question in the DPM forum. But I thought I would post it here as well, since it's really an AD question.
I've been working for several days to find a solution to a problem with DPM. I finally stumbled across something at social.technet.microsoft.com that has fixed the problem. I put the computer account of our DPM server into the Domain Admins group. (Our AD is 2008 R2, raised to the highest functional level.)
It's not clear to me why this fixed the problem. More important, are there bad things that could happen as a result of putting a server's computer account into the Domain Admins group?
I suppose that if someone clever could manage to run a script using the credentials of that computer, they would have a lot of power (same rights as a domain admin). I'm not sure how or if that could be practically exploited.
I finally got a chance to test out putting the DPM server computer account into the local admin group on the problematic XP workstation. It worked! Good idea you had. I should have thought of that myself. Thanks.