Hello
Thank you for your question and reaching out.
The method for 2012 should also work for Windows 2016 or 2019 domain controllers also.
The members who require READ-ONLY access to the logs must first be added to a security group. Create the GPO after that, and then apply it to the Domain Controllers OU. After that is finished, you won't ever need to repeat the process in order to add or delete members from this group. The GPO option is also the ideal because you don't need to configure anything on the individual servers as you add new DCs. The group's members will have access after the GPO is applied to the new DCs.
-----------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept as answer--