The tool SecurSvc does allow the administrator to modify the default Windows-NT security rights of a service.
It can permit any desired groups or user accounts to control a service (start/stop/pause/resume).
The local administrator group, which is by default controlling all services, can be removed for the service specified.