I love a challenge. This appears to be working for me.
I figured out how to set the permissions to allow a group to have access. Just add whatever user accounts need access to the group. For testing I just used the Remote Management Users group. It appears that the user will need to be in that group in order to have Invoke-Command access anyway. You can create your own group if you want.
# Name: LetUsersGetService.ps1
# Desc: Grant read access to some group to allow read access via Invoke-Command
# Author: Dave (MotoX80)
# Grant access to this group
$Account = "Remote Management Users" # Grant access to this group
# get current acl
$MySDDL = (sc.exe sdshow scmanager)
# Here is original acl from my Win10 machine.
# Uncomment the next statement to reset access
#$MySDDL = "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-528118966-3876874398-709513571-1907873084-3598227634-3698730060-278077788-3990600205)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"
$NewAcl = New-Object System.Security.AccessControl.DirectorySecurity
$NewAcl.SetSecurityDescriptorSddlForm($MySDDL)
$Rule = new-object System.Security.AccessControl.FileSystemAccessRule ($account,"ReadData, AppendData, ReadPermissions",”None”,”None”,”Allow”)
$NewAcl.SetAccessRule($Rule)
""
"Access will be set to this..."
$NewAcl.Access # show who has access
""
"Original SDDL"
$MySDDL
""
"Updated SDDL"
$NewAcl.Sddl # and in SDDL form
""
"Updating access"
sc.exe sdset SCMANAGER $NewAcl.Sddl
""
"SDDL from sc.exe"
sc.exe sdshow scmanager