We distribute the rights to start / stop services under Windows

Just today it took to give a person the opportunity to restart the test web server under Windows.
It’s not natural to give the admin rights naturally.
"Powerful" user is not suitable.

a lot of letters

and here technet comes to the rescue , which tells about sc.

In this case, we are interested in 2 teams:
sc sdshow - shows permissions
sc sdset - sets permissions
')
To get started, find out what rights our service already has:
C:\Users\administrator>sc sdshow service_name

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)


No frills.

As you can see, there are 2 interesting prefixes:
S: - System Access Control List (SACL) - this is not what interests us right now.
D: - Discretionary ACL (DACL) - rights for everyone and everything are indicated here.

We look further.
The first letter after the parentheses means allow (A, Allow) or forbid (D, Deny).

We allow:
(A ;;;;;)

And then we see combinations of two letters:
CC - SERVICE_QUERY_CONFIG
LC - SERVICE_QUERY_STATUS
SW - SERVICE_ENUMERATE_DEPENDENTS
LO - SERVICE_INTERROGATE
CR - SERVICE_USER_DEFINED_CONTROL
RC - READ_CONTROL
RP - SERVICE_START
WP - SERVICE_STOP
DT - SERVICE_PAUSE_CONTINUE

In fact, we will be interested in the last three options:
(A ;; RPWPDT ;;;)

The last 2 letters indicate who we allow or forbid:
AU Authenticated Users
AO Account operators
RU Alias to allow previous Windows 2000
AN Anonymous logon
AU Authenticated users
BA Built-in administrators
BG Built-in guests
BO Backup operators
BU Built-in users
CA Certificate server administrators
CG Creator group
CO Creator owner
DA Domain administrators
DC Domain computers
DD Domain controllers
DG Domain guests
DU Domain users
EA Enterprise administrators
ED Enterprise domain controllers
WD Everyone
PA Group Policy administrators
IU Interactively logged-on user
LA Local administrator
LG Local guest
LS Local service account
SY Local system
NU Network logon user
NO Network configuration operators
NS Network service account
PO Printer operators
PS Personal self
PU Power users
RS RAS servers group
RD Terminal server users
RE Replicator
RC Restricted code
SA Schema administrators
SO Server operators
SU Service logon user

+ To this list, you can explicitly specify a user by SID.

This is the most interesting!
how to find out user sid?
there is not one way :)

but, the easiest and most convenient (in my opinion), write a little script on vb:
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Set objAccount = objWMIService.Get _
("Win32_UserAccount.Name='username',Domain='domain'")
Wscript.Echo objAccount.SID

Replace the user name and domain to your liking, save the file with the extension .vbs and run.
An alert with a SID appears.

We copy in a notebook (or in any other place)
You can run the script in the console, save time :)

So. Found out SID.
Paste into the key:
(A ;; RPWPDT ;;; S-1-5-21-3992622163-2725220152-438995547-4172)

Now prepare the whole team:
sc sdset D:(A;;RPWPDT;;;S-1-5-21-3992622163-2725220152-438995547-4172)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

We insert our key in any place, but it is important that it be before the prefix S.
It is important not to make a mistake, otherwise we may lose access to the service :)
We start.

check:
sc \\ server stop "service_name"

Hopefully the main point has been conveyed.
Just waiting for critics, maybe, I suspect that there may be ways easier.

UPD can, by the way, use groups.
in order to find out the group SID - instead of username, write the name of the group.