The SecurSvc tool does allow the administrator to modify the default Windows security descriptor of a service.
It can permit any desired groups or user accounts to control a service (start / stop / pause / resume).
The local administrators group, which is by default controlling all services, can be removed for the service specified as well, so please make sure to specify this group if you wan't that group to keep the service control ability!
Command Line Syntax
SecurSvc <SERVICE-NAME > <ACCOUNT-1> [ACCOUNT-2] [ACCOUNT-N]
||The name of the service to modify. This should be the actual service name, some times referred to as service's short name, and not the so-called service display name. You can find the service name in the registry under "HKLM\System\CurrentControlSet\Services".
||User account or group account. Either local or a domain account in the format “Domain\Account-Name”. You will need to specify at least one user or group account.
To grant the "Exchange-Admins" and "Administrators" group permission to control the "MSExchangeSA" service, you could run the command below:
SecurSvc MSExchangeSA Exchange-Admins Administrators
To grant the local "Administrators" group and the domain group MyDomain\SNMP-Admins permissions to control the "SNMP" service, you could run this command:
SecurSvc SNMP Administrator SNMP-Admins
To grant the local "Administrators" group to control the "SNMP" service, you could run this command:
SecurSvc SNMP Administrators