I was asked to setup user rights for a specific user to start, stop and restart services on a server. No additional permissions should be granted.
So, for a start I have added this domain user to Remote Desktop Users local group on the server so that user can connect to the server via Remote Desktop connection.
Now, we have to download a Microsoft Tool called SubInACL that we will use to grant permissions for starting and stoping services.
SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.
http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=23510
Once we have download the tool, extract the .exe file and copy it to the server.
Start CMD in elevated mode (Run As Administrator) and navigate to the directory where have you copied the SubInACL.exe
Run subinacl.exe /service %servicename% /grant=%computer name or domain%\%username%=TOP
T grants rights to start the service
O grants rights to stop the service
P grants rights to restart the service
If you have problems with running this script, please post your comments below.