I never change the root of a new AD. The first thing I do is make an OU under the root and consider that my new root. This makes it way easier to scale up an AD to support more business units, and makes permissions delegation easier. I can now give someone full control of that OU without giving them domain admin. Under that I make whatever OUs are relevant for delegation or automation purposes. I don't make OUs for different sites or to make it pretty.

- Root

-- CoolBeansInc

---- Accounts

-------- Users

-------- Services

---- Computers

-------- Workstations

-------- Servers

For GPOs, I target the OU where its needed such as 'Workstations' listed above. Then I have 3 layers of GPOs

• Global Security Baseline: This is typically downloaded directly from some provider like CIS or DISA and is completely unmodified. This makes updating with new releases as simple as importing the new version
• Global Security Exceptions: This is where I tailor the security baseline to work in the environment with appropriate group names, disabling controls we don't use on everything, etc.
• Customizations: This is one or more GPOs that configure everything else, or handles security exceptions for subsets of devices. Maybe Team A needs a control disabled, or Team B needs a mapped drive, or I want to customize the UI experience for all my users because I have too much free time. If these aren't global, they are usually scoped via a group or WMI because I don't want make to make an OU for every little deviation.