We have created a "Enumerate Permissions Only" permission policy level in CA.   This is for our security team to provision access to SharePoint sites, libraries and lists using AD Groups.   Some of our SharePoint sites, libraries and lists contain sensitive information, and the if the SharePoint Group has "Who can view the membership of the group" to "Members only" the Security Team cannot view the entries of AD Groups or specific user in those SharePoint Groups.  90-95% or access to our SharePoint is via AD Groups.  Other than granting the "Manage Permissions" Policy to the 'Enumerate Permission Only Policy level in CA, or adding the Security Team AD Group to every SharePoint Group that does not allow 'Everyone' to view members I am at a loss on how to allow the Security Team AD Group to view locked down SharePoint group members.