The best practice recommendation from Microsoft is as follows:

To accommodate APIs from previous versions of the operating system that

make changes directly to default GPOs, changes to the following security
policy settings must be made directly in the Default Domain Policy GPO or in
the Default Domain Controllers Policy GPO:

 · Default Domain Security Policy Settings:

o o Password Policy
o o Domain Account Lockout Policy
o o Domain Kerberos Policy
 · Default Domain Controller Security Policy Settings:
o o User Rights Assignment Policy
o o Audit Policy

Source: Best Practice Guide for Securing Active Directory Installations

(https://technet.microsoft.com/en-us/library/cc773164(v=ws.10).aspx)

If you want to apply other settings at the domain root level or to the Domain
Controllers OU then you should create new GPOs and link them to the
appropriate scope of management. The ordering of the GPOs shouldn’t really
matter as you should have no overlapping settings. As a general rule of
thumb, however, I would recommend assigning any new GPOs a higher
precedence in case someone starts using the default GPOs for settings that
are not on the “approved” list above. That way the new GPOs will win in any
conflict.

Another reason to limit the settings in the default GPOs is to allow them to
be re-created with minimal re-work in scenarios where they have gone
missing or are corrupt and you don’t have a good backup. The method by
which you can re-create the GPOs is using a tool called DCGPOFIX.EXE
(https://technet.microsoft.com/en-us/library/hh875588.aspx). Bear in mind
that this tool is a last resort following a major issue or disaster and you
should really ensure you have good GPO backups, as per this article:

If you are in a disaster recovery scenario and you do not have any backed
up versions of the Default Domain Policy or the Default Domain Controller
Policy, you may consider using the Dcgpofix tool. If you use the Dcgpofix
tool, Microsoft recommends that as soon as you run it, you review the
security settings in these GPOs and manually adjust the security settings to
suit your requirements. A fix is not scheduled to be released because
Microsoft recommends you use GPMC to back up and restore all GPOs in
your environment. The Dcgpofix tool is a disaster-recovery tool that will
restore your environment to a functional state only. It is best not to use it as
a replacement for a backup strategy using GPMC. It is best to use the
Dcgpofix tool only when a GPO back up for the Default Domain Policy and
Default Domain Controller Policy does not exist.

Source: https://support.microsoft.com/en-us/kb/833783

Default Domain Controller Policy is considered an OU policy, which supersede over Default Domain
Policy

Yes you can do this by putting a BLOCK INHERITANCE on that Domain Controller's GPO.
After doing that you can load all the policies that would apply to those GPOs and put your GPO
with the accounts you want set on top. So it could be in this order:

1. Desired Account Setup GPO

2. Default Domain Controller GPO
3. Default Domain GPO

Above that you can apply any other GPOs you need but ensure you are still putting on all the
upper level GPOs to make sure they are in the order you want.

Restore domain policy

This will restore both domain and domain controller policy

https://www.youtube.com/watch?v=iS_DV_zH5aU

Processing Order of GPO

Local < Site < Domain < OU’s

https://www.youtube.com/watch?v=NlVFByPQA18

Applied based on the reverse order – Link 2 applies first, then Link 1 will be next. (Link 1 will over ride
link 2)
OU can use the blocking inheritance can prevent any setting configure before it from being apply

Enforce group policy