Originally Posted by binary_0011
i want to allow andrew to execute all commands .... but i also want to prevent andrew from editing the system log
You can't have both, sorry.
No offense but allowing regular users to "execute all commands" is a very poor idea, because it's a lot easier than you might think to accidentally hose up your system to the point that it cannot be recovered. Bottom line, if you want to allow andrew to run all commands, you might as well tell him to log in as root and give him the root password.
Again, it's a poor idea. Keep root and the regular users separated.