Microsoft - Scripting - Batch Files - Allow user to stop and start service

Tested on Windows Server 2016.

1. Open an elevated command prompt.
2. Check the current SDDL on the service:

   "%SYSTEMROOT%\system32\sc.exe" sdshow "Spooler"

3. Output should look like:

   D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

4. Use PowerShell to get the SID of the account that should be able to stop/start the service:
   1. For an Active Directory account:

      Get-ADUser service_account -Properties objectSid | Select-Object objectSid

   2. For a local account:

      Get-LocalUser service_account | Select-Object Name,SID

5. Add the SID of the Active Directory account at the end of the D:-part of the SDDL of the service with LC (query status), RP (start), WP (stop), and DT (pause/continue) permissions:

   D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;LCRPWPDT;;;S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1127)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

6. Apply the new SDDL to the service:

   "%SYSTEMROOT%\system32\sc.exe" sdset "Spooler" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;LCRPWPDT;;;S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1127)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Sources:

1. serverfault - how to set permissions on a service This suggests to use RPWPDTLO as permission set, but I found that with LO I could start the service from a cmd.exe running as the service account, but got an access denied when trying to start the service from a batch file running in a scheduled task under the service account. Using LCRPWPDT seems to fix this.
2. Tales form the Crypto - SDDL - easier to read, except when it's not.
3. Microsoft Support - Best practices and guidance for writers of service discretionary access control lists (archive.org)