function Grant-UserStartStopRightsToService {
<#
.SYNOPSIS
    Grants a non-administrative user rights to stop or start a Windows Service
#>

    [CmdLetBinding()]
    Param(
        [Parameter(Mandatory=$true)]
        [Alias("User")]
        [string]$userName,

        [Parameter(Mandatory=$false)]
        [Alias("Domain")]
        [string]$domainName,

        [Parameter(Mandatory=$true)]
        [Alias("Service")]
        [string]$serviceName
    )

    $logLead  = (Get-LogLeadName);
    $serviceAcls = & sc.exe sdshow "$serviceName"
    $userSid = Get-SidFromUsername -userName:$userName -domainName:$domainName

    if ($serviceAcls -match "$userSid")
    {
        Write-Warning ("$logLead : User {0} already has explicit rights to the service.  Verify they are correct and remove manually if this needs to be rerun." -f $userName)
        return
    }

    $splitAcls = ($serviceAcls -split "(?=S:\(AU)" -ne "")
    $aclTemplate = ("(A;;RPWPCR;;;{0})" -f $userSid)
    Write-Verbose ("$logLead : ACL String to Add: {0}" -f $aclTemplate)

    $modifiedAclSegment = $splitAcls[0] + $aclTemplate
    $modifiedAcls = $modifiedAclSegment + ($splitAcls | Select-Object -Skip 1)
    Write-Verbose ("$logLead : Setting ACLs for Service {0} to {1}" -f $serviceName, $modifiedAcls)

    & sc.exe sdset "$serviceName" $modifiedAcls
}