I want to create a special user on Windows servers that has the following rights:
right to view all AD objects and properties of those objects but not change or modify
right to view all permissions/ACL lists/security settings but not change or modify
right to view all files/folders etc. but not change or modify any thought the ID can create modify new Word and Excel files in their home folder
What are the steps to do so?