I'm setting up a helpdesk person with RSAT and then delegation for password resetting and when installing RSAT I noticed that ANY domain user can install RSAT and see every OU, which users are disabled, and other stuff.
Obviously the permissions aren't present such that they can change anything, but I'd rather not have this as a possibility if that makes sense haha... is this standard practice for any domain account to be able to see every group/user/etc?
This is normal. Knowing that a resource in a corporate environment exists is generally not a security problem. Don't try and "fix" this.
Per the above, ANY domain user can view accounts by running some powershell, or net user /domain in a commmand prompt, or running an LDAP tool. AD is a directory service - accounts are supposed to be visible to anyone. LDAP was originally used a lot of the time back in the day to provide a directory service for email or even simply an address/telephone directory. That's its primary function (as with x500, which LDAP derives from).
There are some objects and properties that are hidden by default from normal users. Don't mess with them either.
There are times when you may want to change permissions on single attributes to hide them (such as if you store birthdate), but this should not be done on the default accountname and similar attributes (it's often best to create a custom user attribute in the schema for that kind of purpose).
