You can definitely use Group Policy to grant users rights to start / stop services. You just need to modify the security descriptor on the service using the "Security" group policy client side extension.
A very slight caveat: I have seen cases where some services don't like the default permission that a group policy-based modification puts on a service (look at this posting about the Windows Search service if you want to see what I'm talking about: http://peeved.org/blog/2007/12/07), but that has been uncommon in my experience.
In order to "see" the service in the Group Policy editor you'll need to do the editing on a computer that has the service installed. (If this is a stock Windows service then it's no big deal, but if it's something third-party get on a machine that has it installed, "runas" a copy of MMC, and snap-in a Group Policy editor targeted at the GPO where you want to put these settings.)
Under "Computer Settings", "Windows Settings", "Security Settings", and "System Services", locate the service you want to grant start / stop permission to and define a policy setting. You have to choose a startup type. Click "Edit Security" and modify the default ACL to include the permissions you're looking for.
I'd recommend testing the GPO on a constrained group of computers (either by linking the GPO to a test OU with a single computer, or by filtering the GPO to only a single computer) and making sure it does what you want before you go changing the security on all your computers only to find out it doesn't do what you want.
Here's some background on what the various entries in an ACE mean for services:
To see the descriptors in SDDL notation, use the "sc sdshow service-name" command.
Edit:
Delegated permission to create new services is going to be a little bit tough. There is a "SC_MANAGER_CREATE_SERVICE" right that can be granted to users on the service control manager (SCM) object in the global object manager.
In Windows versions up to Windows Server 2003, the rights could not be changed on the SCM. Starting in W2K3 SP1, you could change the rights on the SCM.
The API to change the security is SetServiceObjectSecurity, and more information is available here: http://msdn.microsoft.com/en-us/library/aa379589(VS.85).aspx
Some more reference re: the rights that can be granted to the SCM and the default DACL set on the SCM is available here: http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx
In short, there's no way to do this w/o writing code. There's no magic registry setting, etc. If you can get somebody to write the code for you, though, it's totally feasible.
I came across this question realizing I never posted what I did, ultimately I figured out a way to use SUBINACL.exe (needs to be in a path directory like System32)
and passed it through a powershell loop of all the printers
here's the code, run it from the PS Console as Administrator on the Print Server
$Logpath = "c:\temp\logs"
Stop-Transcript -ErrorAction "SilentlyContinue"
Start-Transcript $Logpath -Append
$PRINTERS = (Get-WmiObject Win32_Printer)
foreach($PRINTER in $PRINTERS)
{$Server = $PRINTER.SystemName
$PrinterName = $PRINTER.name
Write-Host \\$Server\$PrinterName
Invoke-Command -AllowRedirection {subinacl.exe /printer \\$Server\$PrinterName /Grant=domain\username=F}
}
Stop-Transcript
I don't work there anymore but I hope someone benefits from finding this.
Best Answer
Yes, with a startup script.
setprinter.exe, included with the Windows 2003 resource kit. You can use:
setprinter.exe 3 "pSecurityDescriptor=xxxxxxxxxx"
You would need to loop through all of the installed printers, and apply the new ACL. This would assume you could use the same ACL for all printers on all workstations. This may not be a problem as most people don't use custom security on local printers.
"pSecurityDescriptor= is in SDDL form. Use setprinter -examples 3 to get more info.
Set a printer with the security the way you want it, the use setprinter -show printerName 3 to get the text of how the SDDL should be applied.
This is what the command and SDDL looks like when Everyone has Manage Printers and all the other permissions are generic defaults:
setprinter.exe 3 pSecurityDescriptor="O:BAG:DUD:(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;LCSWSDRCWDWO;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;PU)"
All of that must be on one line.
Here is some PowerShell code that lists the printers:
Get-WMIObject Win32_Printer -ComputerName $env:computername | foreach-object{$_.Name}
so the command to do the work would be
Get-WMIObject Win32_Printer -ComputerName $env:computername | foreach-object{setprinter.exe $_.Name 3 pSecurityDescriptor="O:BAG:DUD:(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;LCSWSDRCWDWO;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;PU)"}
Again, that must be all one line.