Less default permissions for Authenticated Users & Domain Users
As a defense-in-depth measure, it would be great to apply POLA to Authenticated Users & domain users group, so that no single user can enumerate more than they require. It would help in the Reconnaissance phase of an attack.
It seems like these are enough for an Authenticated User (1):
* Read gPLink
* Read gPOptions
* List Contents
* Read permissions