Hi,
ad1: object is currently locked.
ad2: This is quiet a very complicated topic, indeed. For some insight you might have a look here.
ad3: For AD you should not change the default primary group to anything else than “domain users”. Loads of links tell this, even though I did not find a MS document telling this. In short: do not change primary group. It will break things!
So far I would guess you installation is fine.
/CV