Hi

We are using a Server 2008 R2 DFL

I'm looking to detect "interactive" logins via a powershell script however I don't see an interactive logon property on user accounts.

I have searched online and see a group policy to show interactive logon messages but didn't see clearly how to enable interactive login auditing of user accounts.

From what I can gather id set a policy on domain controllers telling them to record interactive logins and thereafter I can use power shell to fetch this information.

I cant seem to find the specific steps to toggle the auditing of interactive logins to on within group policy.

Am I on the right track ?

confuseis

We have a file folder (FolderA) with inheritance enabled.  UserA is the owner of the folder.  The AD groups associated in advanced security settings like this:

Type             Principal           Access          Inherited From            Applies To

Allow          AD Group A        Modify             FolderB             This folder, subfolder and files

Allow            UserA              Full Control       FolderB               This folder only

Allow            Creator Owner    Full Control      FolderB               Subfolder and files only 

Allow          Administrators        Modify             FolderB             This folder, subfolder and files

The checkbox "Only apply these permissions to objects and/or containers within this container" is NOT checked.  I don't find that checked up the chain either.

When UserA drops any files in this FolderA, the security on them is limited to UserA and Administrators.  None of the users in AD Group A have any access to the files.  I am certainly not very experienced with NTFS permissions, but that doesn't seem correct.  When any other user that is a member of AD Group A drops files into FolderA, inheritance is working.

Any ideas what might be wrong?

I know the ADPREP process is integrated with 2012 R2 when you add the AD DS role on a Windows 2012 R2 server, but I need to do the ADPREP manually, we have 10 plus Child domains and we’re not ready to install Windows 2012 R2 DC to all these domains. Our current Schema version is Windows 2008 R2. Domain and Forest functional is also running on Windows 2008 R2

Here are the steps for ADPREP, please let me know if they’re correct

All DCs are Windows 2008R2 64bit.

1.       Copy the ADPREP folder from the Windows 2012 R2 disc to the Schema master DC in the root Domain. (adprep path is<Media Drive:>\support)
2. Login to the Schema master DC as Administrator (member of Schema Admin and enterprise Admin) and Run:adprep /forestprepfrom theADPREPfolder
3.       Make sure Schema updates are replicated to the entire forest
4.       Copy the ADPREP folder to each Child Domain’s PDC
5. Login to each Child Domain PDC as Administrator and run: adprep /domainprepfrom theADPREP folder.
6. Domain and Forest will remain the same after ADPRDP: Windows 2008 R2
7.       You ONLY able to Raise Domain and Forest function level when there is NO more Windows 2008 R2 DCs. All DCs must be running Windows 2012 R2.

I need to create a domain trust across two different domains, the issue is that I have servers with the same names on the two domains that I need to trust. I'll explain. Domain A with server name CARS and Domain B with server name CARS. However these servers have different IPs and belong to different networks connected via a VPN link? My questions:

Possible problems?

Is it feasible without having to rename the servers? To many users and shares to redo 

Any advise will be appreciated. 

Hello,

I would like to change the Maximum Password Policy settings from 90 Days  to 14 Days on temporary basis later it will be back to 90 days the concern is how it will impact the  users and what are the best practice to do this change.

Like if suppose the password  policy is set to 14 Days from 90 Days  on Monday 24th June when it will be effective on end users like all the users password expire attribute will be changed and they will reset the password after 14 days in a single day or the  password will be  expired as per the password last set attribute value and based on it users will change the password with in this  14 days and what about the users those  who have changed their password on 1st June as per current policy their password will expire in the month of August will they have to change their password on immediate basis or after 14 days as per the policy.

Kindly suggest the best practices and recommendation to carry out this change without much big impact.

Thanks

Aatif Kungle

Regards, Aatif Kungle

Similar to this post - 

https://social.technet.microsoft.com/Forums/en-US/89e61bc4-d7e6-4c83-8a6a-58c7b429aee2/changing-permissions-on-netlogon?forum=winserverDS

I need to give another team access to NETLOGON so they can modify scripts in that share. 

Its understand that I need to make the changes at \\DC\sysvol\mydomainname.com\scripts. And while those changes do work, they don't replicate to all other DCs. 

Do I need to log into each and every DC to make those changes?

Good morning, since many days ago I am trying to add an additional Domain Controller (Replica) to my customers AD infrastructure. Unfortunately, when wizard is trying to add the AD, appear an error: The wizard cannot gain access to the list of domains in the forest. Domain functional level is Windows 2012 (All servers in the domain are W 2012 R2). I checked about sharing files and printers option to be enabled (it is), also i checked on the DCs about DNS registers and some more things about resolution but I don't know why appears the error. I have read the dcpromoui.log and here is a piece of this, can someone help me?

dcpromoui 1340.13AC 0000 11:49:26.537 opening log file C:\Windows\debug\dcpromoui.log
dcpromoui 1340.13AC 0001 11:49:26.537 C:\Windows\system32\wsmprovhost.exe
dcpromoui 1340.13AC 0002 11:49:26.538 file timestamp 11/21/2014 21:44:53.032
dcpromoui 1340.13AC 0003 11:49:26.538 C:\Windows\system32\dcpromocmd.dll
dcpromoui 1340.13AC 0004 11:49:26.538 file timestamp 05/23/2019 17:44:47.985
dcpromoui 1340.13AC 0005 11:49:26.538 local time 06/22/2019 11:49:26.538
dcpromoui 1340.13AC 0006 11:49:26.538 running Windows NT 6.3 build 9600  (BuildLab:9600.winblue_ltsb_escrow.190505-1600) amd64
dcpromoui 1340.13AC 0007 11:49:26.538 logging flags 0001007C
dcpromoui 1340.13AC 0008 11:49:26.538 Enter CbsGetUpdateInstallState
dcpromoui 1340.13AC 0009 11:49:26.538   The category is 0
dcpromoui 1340.13AC 000A 11:49:26.538   Enter FindRoleInfo
dcpromoui 1340.13AC 000B 11:49:26.538     Enter CheckIsServerCore
dcpromoui 1340.13AC 000C 11:49:26.538       It is not on server foundation
dcpromoui 1340.13AC 000D 11:49:26.538       HRESULT = 0x00000000
dcpromoui 1340.13AC 000E 11:49:26.538   Enter GetUpdateName
dcpromoui 1340.13AC 000F 11:49:26.538   Enter GetPackageName
dcpromoui 1340.13AC 0010 11:49:26.774     Package name for Microsoft-Windows-ServerCore-Package is Microsoft-Windows-ServerCore-Package~31bf3856ad364e35~amd64~~6.3.9600.16384
dcpromoui 1340.13AC 0011 11:49:26.783   Enter CbsGetUpdateInstallState
dcpromoui 1340.13AC 0012 11:49:26.783     package name is Microsoft-Windows-ServerCore-Package~31bf3856ad364e35~amd64~~6.3.9600.16384 and update name is DirectoryServices-DomainController
dcpromoui 1340.13AC 0013 11:49:27.453   HRESULT = 0x00000000
dcpromoui 1340.13AC 0014 11:49:27.454 Enter CbsIsRebootRequired
dcpromoui 1340.1294 0015 11:49:27.588 Enter GetProductTypeFromRegistry
dcpromoui 1340.1294 0016 11:49:27.590   Enter RegistryKey::Open System\CurrentControlSet\Control\ProductOptions
dcpromoui 1340.1294 0017 11:49:27.590   Enter RegistryKey::GetValue-String ProductType
dcpromoui 1340.1294 0018 11:49:27.590   ServerNT
dcpromoui 1340.1294 0019 11:49:27.590   prodtype : 0x3
dcpromoui 1340.1374 001A 11:49:32.758 Enter GetExistingAccountForComputerInReplicaDomain
dcpromoui 1340.1374 001B 11:49:32.758   START TEST: GetExistingAccountForComputerInReplicaDomain
dcpromoui 1340.1374 001C 11:49:32.763   Enter Computer::RemoveLeadingBackslashes 
dcpromoui 1340.1374 001D 11:49:32.765   Using empty constructor
dcpromoui 1340.1374 001E 11:49:32.765   Enter Computer::Refresh
dcpromoui 1340.1374 001F 11:49:32.765     Enter IsLocalComputer
dcpromoui 1340.1374 0020 11:49:32.765     Enter RefreshLocalInformation
dcpromoui 1340.1374 0021 11:49:32.765     Enter GetProductTypeFromRegistry
dcpromoui 1340.1374 0022 11:49:32.765       Enter RegistryKey::Open System\CurrentControlSet\Control\ProductOptions
dcpromoui 1340.1374 0023 11:49:32.765       Enter RegistryKey::GetValue-String ProductType
dcpromoui 1340.1374 0024 11:49:32.765       ServerNT
dcpromoui 1340.1374 0025 11:49:32.765       prodtype : 0x3
dcpromoui 1340.1374 0026 11:49:32.765     Enter GetSafebootOption
dcpromoui 1340.1374 0027 11:49:32.765       Enter RegistryKey::Open System\CurrentControlSet\Control\SafeBoot\Option
dcpromoui 1340.1374 0028 11:49:32.765       HRESULT = 0x80070002
dcpromoui 1340.1374 0029 11:49:32.765       returning : 0x0
dcpromoui 1340.1374 002A 11:49:32.765     Enter DetermineRoleAndMembership
dcpromoui 1340.1374 002B 11:49:32.766       Enter MyDsRoleGetPrimaryDomainInformation
dcpromoui 1340.1374 002C 11:49:32.766         Enter MyDsRoleGetPrimaryDomainInformationHelper
dcpromoui 1340.1374 002D 11:49:32.766           Calling DsRoleGetPrimaryDomainInformation
dcpromoui 1340.1374 002E 11:49:32.766           lpServer  : (null)
dcpromoui 1340.1374 002F 11:49:32.766           InfoLevel : 0x1 (DsRolePrimaryDomainInfoBasic)
dcpromoui 1340.1374 0030 11:49:32.766           HRESULT = 0x00000000
dcpromoui 1340.1374 0031 11:49:32.766         MachineRole      : 0x3
dcpromoui 1340.1374 0032 11:49:32.766         Flags            : 0x1000000
dcpromoui 1340.1374 0033 11:49:32.766         DomainNameFlat   : FARMACIACHAVEZ
dcpromoui 1340.1374 0034 11:49:32.766         DomainNameDns    : farmaciachavez.local
dcpromoui 1340.1374 0035 11:49:32.766         DomainForestName : farmaciachavez.local
dcpromoui 1340.1374 0036 11:49:32.766       Enter IsDcInRepairMode
dcpromoui 1340.1374 0037 11:49:32.766   HRESULT = 0x00000000
dcpromoui 1340.1374 0038 11:49:32.766   Enter State::DetermineRunContext
dcpromoui 1340.1374 0039 11:49:32.767     Enter DS::GetPriorServerRole
dcpromoui 1340.1374 003A 11:49:32.767       Enter MyDsRoleGetPrimaryDomainInformation
dcpromoui 1340.1374 003B 11:49:32.767         Enter MyDsRoleGetPrimaryDomainInformationHelper
dcpromoui 1340.1374 003C 11:49:32.767           Calling DsRoleGetPrimaryDomainInformation
dcpromoui 1340.1374 003D 11:49:32.767           lpServer  : (null)
dcpromoui 1340.1374 003E 11:49:32.767           InfoLevel : 0x2 (DsRoleUpgradeStatus)
dcpromoui 1340.1374 003F 11:49:32.767           HRESULT = 0x00000000
dcpromoui 1340.1374 0040 11:49:32.767         OperationState      : 0
dcpromoui 1340.1374 0041 11:49:32.767         PreviousServerState : 0
dcpromoui 1340.1374 0042 11:49:32.767     Enter Computer::GetNetbiosName
dcpromoui 1340.1374 0043 11:49:32.767       SVRSCZDCFCH
dcpromoui 1340.1374 0044 11:49:32.767     Enter Computer::GetRole SVRSCZDCFCH
dcpromoui 1340.1374 0045 11:49:32.767       role: 3
dcpromoui 1340.1374 0046 11:49:32.767     NT5_MEMBER_SERVER
dcpromoui 1340.1374 0047 11:49:32.767   Enter State::GetRunContext NT5_MEMBER_SERVER
dcpromoui 1340.1374 0048 11:49:32.767   Enter FS::GetPathSyntax C:\Windows\system32
dcpromoui 1340.1374 0049 11:49:32.767   HRESULT = 0x00000000
dcpromoui 1340.1374 004A 11:49:32.767   Enter State::SetMode STAGETWO
dcpromoui 1340.1374 004B 11:49:32.767   Enter State::SetOperation REPLICA
dcpromoui 1340.1374 004C 11:49:32.767   Enter GetCredentialsFunctInternal
dcpromoui 1340.1374 004D 11:49:32.767     Enter ShouldSkipCredentialsPage
dcpromoui 1340.1374 004E 11:49:32.767       Enter State::GetOperation REPLICA
dcpromoui 1340.1374 004F 11:49:32.767     using empty user domain name
dcpromoui 1340.1374 0050 11:49:32.767     Enter State::GetOperation REPLICA
dcpromoui 1340.1374 0051 11:49:32.771     Enter GetForestName farmaciachavez.local
dcpromoui 1340.1374 0052 11:49:32.771       Enter MyDsGetDcName
dcpromoui 1340.1374 0053 11:49:32.771         Enter MyDsGetDcName2
dcpromoui 1340.1374 0054 11:49:32.771           Calling DsGetDcName
dcpromoui 1340.1374 0055 11:49:32.771           ComputerName : (null)
dcpromoui 1340.1374 0056 11:49:32.771           DomainName   : farmaciachavez.local
dcpromoui 1340.1374 0057 11:49:32.771           DomainGuid   : (null)
dcpromoui 1340.1374 0058 11:49:32.771           SiteName     : (null)
dcpromoui 1340.1374 0059 11:49:32.771           Flags        : 0x40000000
dcpromoui 1340.1374 005A 11:49:32.772           HRESULT = 0x00000000
dcpromoui 1340.1374 005B 11:49:32.772           DomainControllerName    : \\PDCSVRFCH.farmaciachavez.local
dcpromoui 1340.1374 005C 11:49:32.772           DomainControllerAddress : \\192.168.0.16
dcpromoui 1340.1374 005D 11:49:32.772           DomainGuid              : {7861FD9E-4A7E-4B4C-9A40-79EE5406035C}
dcpromoui 1340.1374 005E 11:49:32.772           DomainName              : farmaciachavez.local
dcpromoui 1340.1374 005F 11:49:32.772           DnsForestName           : farmaciachavez.local
dcpromoui 1340.1374 0060 11:49:32.772           Flags                   : 0xE000F3FD:
dcpromoui 1340.1374 0061 11:49:32.772           DcSiteName              : Default-First-Site-Name
dcpromoui 1340.1374 0062 11:49:32.772           ClientSiteName          : Default-First-Site-Name
dcpromoui 1340.1374 0063 11:49:32.772     using forest name farmaciachavez.local
dcpromoui 1340.1374 0064 11:49:32.772     Enter State::GetOperation REPLICA
dcpromoui 1340.1374 0065 11:49:32.772     Enter State::SetForestName farmaciachavez.local
dcpromoui 1340.1374 0066 11:49:32.773     Enter State::SetTargetDomainName farmaciachavez.local
dcpromoui 1340.1374 0067 11:49:32.773     Enter CheckUserIsLocal
dcpromoui 1340.1374 0068 11:49:32.773     Enter State::GetOperation REPLICA
dcpromoui 1340.1374 0069 11:49:32.773     Enter State::ReadDomains
dcpromoui 1340.1374 006A 11:49:32.773       Enter State::GetTargetDomainName
dcpromoui 1340.1374 006B 11:49:32.773         Enter State::GetOperation REPLICA
dcpromoui 1340.1374 006C 11:49:32.773         target domain name: farmaciachavez.local
dcpromoui 1340.1374 006D 11:49:32.773       Enter CDomains::ReadDomains
dcpromoui 1340.1374 006E 11:49:32.773         Enter MyDsEnumerateDomainTrusts
dcpromoui 1340.1374 006F 11:49:32.773           Enter GetDcName
dcpromoui 1340.1374 0070 11:49:32.773             Enter GetDcName2
dcpromoui 1340.1374 0071 11:49:32.773               Enter MyDsGetDcName2
dcpromoui 1340.1374 0072 11:49:32.773                 Calling DsGetDcName
dcpromoui 1340.1374 0073 11:49:32.773                 ComputerName : (null)
dcpromoui 1340.1374 0074 11:49:32.773                 DomainName   : farmaciachavez.local
dcpromoui 1340.1374 0075 11:49:32.773                 DomainGuid   : (null)
dcpromoui 1340.1374 0076 11:49:32.773                 SiteName     : (null)
dcpromoui 1340.1374 0077 11:49:32.773                 Flags        : 0x40000011
dcpromoui 1340.1374 0078 11:49:32.879                 HRESULT = 0x00000000
dcpromoui 1340.1374 0079 11:49:32.879                 DomainControllerName    : \\SVRCBBDCFCH.farmaciachavez.local
dcpromoui 1340.1374 007A 11:49:32.879                 DomainControllerAddress : \\192.168.19.35
dcpromoui 1340.1374 007B 11:49:32.879                 DomainGuid              : {7861FD9E-4A7E-4B4C-9A40-79EE5406035C}
dcpromoui 1340.1374 007C 11:49:32.879                 DomainName              : farmaciachavez.local
dcpromoui 1340.1374 007D 11:49:32.879                 DnsForestName           : farmaciachavez.local
dcpromoui 1340.1374 007E 11:49:32.879                 Flags                   : 0xE000F1FC:
dcpromoui 1340.1374 007F 11:49:32.879                 DcSiteName              : Default-First-Site-Name
dcpromoui 1340.1374 0080 11:49:32.879                 ClientSiteName          : Default-First-Site-Name
dcpromoui 1340.1374 0081 11:49:32.879               Enter Computer::RemoveLeadingBackslashes \\SVRCBBDCFCH.farmaciachavez.local
dcpromoui 1340.1374 0082 11:49:32.879               SVRCBBDCFCH.farmaciachavez.local
dcpromoui 1340.1374 0083 11:49:32.879           Enter AutoWNetConnection::Init
dcpromoui 1340.1374 0084 11:49:32.879             Enter AutoWNetConnection::CloseExistingConnection
dcpromoui 1340.1374 0085 11:49:32.879             The current user security context is being used therefore there is no need to establish a connection.
dcpromoui 1340.1374 0086 11:49:32.879             HRESULT = 0x00000000
dcpromoui 1340.1374 0087 11:49:54.894           NetStatus = 1722
dcpromoui 1340.1374 0088 11:49:54.894           Enter AutoWNetConnection::CloseExistingConnection
dcpromoui 1340.1374 0089 11:49:54.894           HRESULT = 0x800706BA
dcpromoui 1340.1374 008A 11:49:54.894         HRESULT = 0x800706BA
dcpromoui 1340.1374 008B 11:49:54.894         HRESULT = 0x800706BA
dcpromoui 1340.1374 008C 11:49:54.894     failed trying to read domains, returned 0x800706BA
dcpromoui 1340.1374 008D 11:49:54.897     Enter GetErrorMessage 800706BA
dcpromoui 1340.1374 008E 11:49:54.897   GetExistingAccountForComputerInReplicaDomain error message: The wizard cannot gain access to the list of domains in the forest.

This condition may be caused by a DNS lookup problem. For information about troubleshooting common DNS lookup problems, please see the following Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=5171

The error is:
The RPC server is unavailable.

dcpromoui 1340.1374 008F 11:49:54.898   Test Failed
dcpromoui 1340.1374 0090 11:49:54.898   GetExistingAccountForComputerInReplicaDomain returns exit code: 26
dcpromoui 1340.1374 0091 11:49:54.898   END TEST: GetExistingAccountForComputerInReplicaDomain
dcpromoui 1340.1374 0092 11:49:54.898   Enter State::UnbindFromReplicationPartnetDC

Thanks in advance

keeps telling me that PowerShell 3.0 is not installed. Install Windows Management Framework 4.0 and .NET Framework 4.5.1 before continuing with installation.
I have downloaded each of the packages, attempted to install them but they all tell me that it's not needed or already installed.

for Framework 4.5 -> Same or hight version of .NET Framework 4.5 has already been installed on this computer.
for Windows6.0-KB2506146-x64 -> The update is not applicable to your computer
for .NET Framework 4 - Same or higher version of .NET Framwork 4 has already been installed on this computer.

I'm trying to run the Microsoft Office 365 Hybrid Configuration Wizard which needs the AzureADConnect.msi to be installed.

I accidentally installed AD on W2K16 prior to changing to a static IP. Is there anything broken that I will need to fix? I changed the DNS records for the server but don't know if there is anything else I will need to change or fix once I move it to the correct IP.

TIA!

Hi Support,

I want to customize below Domain Groups permission. like if i have assigned backup operator to any one of the admin after that they can only manage backup part and Restrict to do any thing related to active directory users, groups, computer, group polices etc.

2nd i have assign RDP access after that admin can't be make any changes on active directory or any other services. 

• Enterprise Admins
• Domain Admins
• Schema Admin
• BUILTIN\Administrators
• Account Operators
• Backup Operators
• Print Operators
• Server Operators
• Domain Controllers
• Read-only Domain Controllers
• Group Policy Creators Owners
• Cryptographic Operators

Hi Experts

we have  standard group policy for password expiry for 3 months, but i have seen few users get password expiry prompt before 3 Months. i have checked for one user from adsiedit and i can see his last password was changed one month back and GPO is 3 months and he got password expiry prompt, experts guide me on this.

Hey,

we're currently struggling with planning our new domain strategy.

We do have sometime the situation to give external service company local administrator rights on a server. The entry will be replaced after the server GPO applied again.

Have you an idea how to append the groups of the GPO?

Regards,

Paul

Good morning,

First off let me fill you in on my environment.  I manage the windows environment for Pre-K through 12th grade public education.  For some reason some of our clients are getting the wrong logonserver which when this happens always ends up being the Pre-K domain server.  All of our other DCs/Sites are connected across town by 10gig fiber backbone, yet this one is connected through a 1 to 1 nat slow internet connection...yet the few times this happens and the LOGONSERVER is incorrectly selected it's ALWAYS this site.

I'll show you our site links / costs / replication Intervals if that helps...but I'm at a loss from staring at this too long and sure I'm overlooking something obvious.

Any Input/Suggestions are greatly appreciated!

Thank you!

Hi All,

We have just bought a new company which is in different forest. Let's call our company as domain A and newly bought company as domain B

We have our network connectivity in place and we are planning to add conditional forwarders. We have created domain B users in Domain A. But there are still resources in domain B that needs to be accessed newly migrated domain A users. I need to understand below things before we create a trust on Domain A.

1. What type of trust I need to create in Domain A? External or Forest

2. What type of direction of trust i should created in Domain A? One way incoming or outgoing (my understanding is incoming)

3. What type of trust and direction we should created in Domain B?

Thanks in Advance!

I am adding a new domain controller which is on a remote location and they have a windows firewall in place. I created a rule on a existing domain controller (Allow all ports, all program from remote ip of new domain controller. ) wise versa to the new domain controller. on a prerequisite i am getting below error.

"""

  Verification of prerequisites for Active Directory preparation failed. Unable to perform Exchange schema conflict check for domain catcos!!@.org.
Exception: The RPC server is unavailable.
Adprep could not retrieve data from the server SERVER2.catcos!!@.org. through Windows Managment Instrumentation (WMI).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20190629173707-test directory for possible cause of failure.

"""

To check if this is related to firewall issue, i closed the fierwall on existing domain controller and all went green and no errors.

Question : why firewall is blocking the traffic when i have a rule that allows all inbound for that server.

Failed to prepare FU-HQ-SVR1.XYZ.com : 1753

Failed to prepare DR-FU-HQ-SVR1.XYZ.com : 1825

Failed to prepare FU-BERSEVER.XYZ.com : 1753

Failed to prepare FU-OBULENZISVR.XYZ.com : 1753

Waiting for DCs to reply.

Waiting for DCs to reply.

Waiting for DCs to reply.

Waiting for DCs to reply.

Waiting for DCs to reply.

Failed to prepare headoffice.XYZ.com: 30012

Failed to find PSN LDAP/DR-VFU-HQ-SVR1.XYZ.com/TrueAfrican.com on CN=DR-VFU-HQ-SVR1, OU=Domain Controllers, DC=XYZ, DC=com

5 servers contacted, 5 servers returned Errors

As per recommendations and best practices guidelines from Microsoft, one customer has disabled the built-in "Administrator" account for security reasons.

However, the customer, for the same security reasons , has also deleted the built-in "Domain Controllers" OU from the DCs. Their justification is that an attacker can always target the "Domain Controllers" OU which, just like the built-in"Administrator" account is present on all DCs by default.

What the customer has done is the following:
--- 1 --> Create a new OU named "GoodServers"
--- 2 --> Moved all DCs to the new OU "GoodServers"
--- 3 --> Linked/Associated the Default Domain Controllers Policy (DDCP) to the new OU "GoodServers"
--- 4 --> Linked and Enforced the Default Domain Policy to the new OU "GoodServers"

My question is ---- Is this recommended ? Does it do any good ?
What are the explanations for not playing with the Domain Controllers OU ?

Wish to have opinions/comments from the Active Directory experts. Thanks a lot !