In a Windows 2000–based Active Directory environment with Windows 2000 servers and clients, how can you enforce a policy that prevents <em>any</em> unsigned drivers from being installed on any computer in the domain?

Introduction / Context:
Windows 2000 introduced Group Policy for centralized configuration. Driver signing policies determine whether unsigned kernel-mode drivers can be installed. To uniformly prevent unsigned drivers across the entire network, you must target a scope that includes all computers where enforcement is required, not just domain controllers.

Given Data / Assumptions:

• All machines (servers and clients) are joined to the domain.
• Goal: block any unsigned driver installation.
• Admins can apply Group Policy Objects (GPOs) at domain or OU scopes.

Concept / Approach:

Driver signing policy is a computer configuration setting. To affect every computer, link a GPO at the domain level (or at a parent OU that contains all computers) that sets “Devices: Unsigned driver installation behavior” to “Do not allow.” Applying only to the Default Domain Controllers OU affects domain controllers only and leaves clients/servers unprotected. Configuring each machine manually is error-prone and inconsistent.

Step-by-Step Solution:

Verification / Alternative check:

Attempting to install an unsigned driver on a client subject to the domain GPO should fail with a policy-based block, confirming effective enforcement.

Why Other Options Are Wrong:

Default Domain Controllers OU: Affects only DCs, not all computers.

Manual per-machine settings: Not centralized; prone to drift.

Do nothing: Not the default; Windows 2000 permits unsigned drivers unless policy is set.

None of above: Incorrect because a domain-linked GPO is the right method.

Common Pitfalls:

Forgetting to use computer configuration (not user); mis-scoping the GPO to a subset of machines.

Final Answer:

Configure a Group Policy for the domain that blocks all unsigned drivers