To implement read-only access with access to Event Viewer and Performance Monitor on two domain controllers for testing, you can create a GPO with specific settings that allow RDP, limit access to only necessary tools, and ensure no Active Directory permissions are granted. Here’s a step-by-step guide:

Once the testing is successful, you can gradually apply the GPO to more domain controllers. Let me know if you need further customization on this configuration!