======Microsoft - Scripting - Batch Files - Allow user to stop and start service======

// Tested on Windows Server 2016. //

  - Open an elevated command prompt.
  - Check the current SDDL on the service:<code>"%SYSTEMROOT%\system32\sc.exe" sdshow "Spooler"</code>
  - Output should look like:<code>D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)</code>
  - Use PowerShell to get the SID of the account that should be able to stop/start the service:
    - For an Active Directory account: <code>Get-ADUser service_account -Properties objectSid | Select-Object objectSid</code>
    - For a local account: <code>Get-LocalUser service_account | Select-Object Name,SID</code>
  - Add the SID of the Active Directory account at the end of the D:-part of the SDDL of the service with LC (query status), RP (start), WP (stop), and DT (pause/continue) permissions:<code>D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;LCRPWPDT;;;S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1127)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)</code>
  - Apply the new SDDL to the service:<code>"%SYSTEMROOT%\system32\sc.exe" sdset "Spooler" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;LCRPWPDT;;;S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1127)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)</code>

Sources:
  - [[https://serverfault.com/questions/796110/how-to-set-permissions-on-a-service|serverfault - how to set permissions on a service]] // This suggests to use RPWPDTLO as permission set, but I found that with LO I could start the service from a cmd.exe running as the service account, but got an access denied when trying to start the service from a batch file running in a scheduled task under the service account. Using LCRPWPDT seems to fix this. //
  - [[https://web.archive.org/web/20100922155044/http://msmvps.com/blogs/alunj/archive/2006/02/13/83472.aspx|Tales form the Crypto - SDDL - easier to read, except when it's not.]]
  - [[https://web.archive.org/web/20160404230226/https://support.microsoft.com/en-us/kb/914392/|Microsoft Support - Best practices and guidance for writers of service discretionary access control lists (archive.org)]]