I'd like to create an account that is not a domain admin, so user cannot log into ADUaC, GP editor, etc but has privileges to access the Event Viewer, install printer drivers and applications on a client PC.
This will be for a student worker to help ease our workload and do basic troubleshooting. How can I create this type of ac
Well, it seems that all the privileges are needed on the client side of things, so just add the student worker as a local administrator on all the machines that they'll need access to. Give them a normal domain user account and use Restricted Groups in group policy to add the user to the local Administrators group of the client machines.
Create a security account that gives access to local machines on the domain. Add the computers to this security account, and add the security account to the user. So... to further explain that;
You have computer A, B and C and user USER1.
Create a Security group called LOCALAD.
Add this security group to computers A, B and C and to USER1.
This will give them access to the computers, but not the servers.
This seems like the a good fit for membership in the "Server Operators" and "Print Operators" domain groups.