Hey Markus,
The fist part you probably need to do on a domain controller also. Although there is no Local User on a Domain Controller, there is a Domain Users group (account is a member by default) and also Performance Monitor Users group.
As for the privileges, you could create new GPO that assigns the necessary privileges. All 3 are located in Computer Configuration
> Policies
> Windows Settings
> Security Settings
> Local Policies
> User Rights Assignment.
Since this GPO should be assigned to you Domain controllers OU, be very careful about what your are changing and ensure you are fully aware of what you are doing. Ask for support from AD team if available. Please test this in your test environment, don't configure it directly in Production.
Then grant Read permissions on the Registry Keys mentioned in the guide and on the folders containing the NTDS.dit and logs.
Then add it to the Event Log Readers in the domain.
Ensure you aware about the note:
*Note:*To monitor trusts the Action Account must be a member of either the Domain Admins group or the Administrators group in the domain in which trusts are monitored. If the Action Account is not a member of either of these groups you will continue to receive a failure message until you disable the following rule: Disable rule: Microsoft Windows Active Directory\Active Directory Monitor Trusts\Script-AD Monitor Trusts.
So you either disable that monitor, or add it to the Administrators group in the domain which I think is not something that you would be keen on, given that you are looking to restrict the permissions. Plus, if its a member of Administrators on the domain security group, I don't see the point of all the previous configurations for a "low priviledged" account. Good luck! Marius ENE - https://mariusene.com/