All of the below changes can be made to this one policy.

Create a new policy in the SBSComputers OU called "Restricted Groups" and in the Delegation tab, take away "Apply Group Policy" from Authenticated Users, and give that permission to "Domain Computers".

Add the groups in Computer Configuration >> Windows Settings >> Security Settings >> Restricted Groups

Local Administrator

If you don't have any application which absolutely requires users to have Administrative rights, do not give them this rights.

Group: BUILTIN\Administrators
Members: DOMAIN\Domain Admins

Remote Desktop Users

So that you don't have to go to each PC and turn on remote control, and pick and choose which users are allowed to connect. If everyone is trusted, then add the following restricted group:

Group: BUILTIN\Remote Desktop Users
Members: DOMAIN\Domain Users