To implement read-only access with access to Event Viewer and Performance Monitor on two domain controllers for testing, you can create a GPO with specific settings that allow RDP, limit access to only necessary tools, and ensure no Active Directory permissions are granted. Here’s a step-by-step guide:
Create a New GPO in the Group Policy Management Console (GPMC):
Open GPMC, right-click on the OU containing the two test domain controllers, and select Create a GPO in this domain and link it here.
Name it something like "DC Read-Only Access - Test".
Configure Remote Desktop Access:
Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections.
Enable Allow users to connect remotely by using Remote Desktop Services.
Set User Rights for Remote Access:
Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
Edit Allow log on through Remote Desktop Services and add the security group that contains the Wintel team members.
Restrict Access to Only Event Viewer and Performance Monitor:
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups.
Add the group here to limit access, ensuring it only includes the Event Viewer and Performance Monitor permissions.
Restrict Active Directory Access:
Ensure that the security group has no permissions on AD-related objects or tools by verifying Local Group Policy or NTFS permissions on AD tools.
Link the GPO to the Test Servers:
Link this GPO only to the two domain controllers you want to test. You can do this by specifying the servers in the Security Filtering or by linking to an OU containing only the test servers.
Test and Monitor:
After applying the GPO, have Wintel team members log in and verify that they have the necessary read-only access and can view Event Viewer and Performance Monitor data without any AD permissions.
Once the testing is successful, you can gradually apply the GPO to more domain controllers. Let me know if you need further customization on this configuration!