So, you get 25 free sandboxes now. Cool! Now with great power comes great responsibility - don't stuff it up! 

Naming

Set a Naming Convention for your orgs. 

Process

Write up a process for how you refresh a Sandbox in your org. 

Data

You get one Partial Data sandbox - this may not be good enough, depending on the type of data that is needed for the testing you need to do. But try it out first. There are a plethora of apps to populate your sandboxes and they start from around US$150/month. But that is chicken feed if you want to get a consistent sandbox setup happening. 

Steps

Setup > Deploy > Sandboxes

For a partial, you need to create a Sandbox Template first. 

Create a new or refresh an existing Sandbox. 

Wait for it to be completed (could take a few days, so be prepared, but usually an hour or so). 

After Sandbox is Completed

Login - NOTE: Only the user that created the Sandbox can log in at this stage. 

Enter the verification code that has been emailed / texted to you. 

Now go to each user that will be using this sandbox and fix their email addresses back to their proper email addresses. They will get an email. 

Now, deactivate any user that does not need access to this sandbox. 

This will free up licences to give access to your developers, if needed. 

Actually, thanks to Brent Downey and his great tip in this article - Best Practices for Managing Salesforce Users - Admin Hero - Deactivate all users that won't be using the Sandbox (Hint: if you are a developer, add it to your Class that gets run on creation of the Sandbox). And remember to deactivate a user from ALL the sandboxes if they leave the org. Now, regular users may not be able to log into your Sandbox if you have not changed the email address of the user because they won't get the validation message. But, I'm not sure how that works if you have assigned IP ranges or you have text message validation turned on - so just double check all that and make sure you know who has access to all your orgs.

Now, having thought that through a bit, you as the System Administrator may not actually have access to every Sandbox that has been created ("Manage Sandbox" is the permission level). If another user has created one, AND they haven't changed your email address, then you will not be able to log into it. This is NOT cool! (again, add it to your class, and make it a company policy that any Sandbox must have these people activated on it). Of course you can just refresh the sandbox, but that might not win you friends (smile).

Now, create user accounts for your developers - make sure they are System Administrators, otherwise they can't do much. 

Now, go and create some data for your Developers to use whilst doing dev work.