wchar_t sddl[] = L"D:"
  L"(A;;CCLCSWRPWPDTLOCRRC;;;SY)"          // default permissions for local system
  L"(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)"  // default permissions for administrators
  L"(A;;CCLCSWLOCRRC;;;AU)"                // default permissions for authenticated users
  L"(A;;CCLCSWRPWPDTLOCRRC;;;PU)"          // default permissions for power users
  L"(A;;RP;;;IU)"                          // added permission: start service for interactive users
  ;

PSECURITY_DESCRIPTOR sd;

if (!ConvertStringSecurityDescriptorToSecurityDescriptor(sddl, SDDL_REVISION_1, &sd, NULL))
{
   fail();
}

if (!SetServiceObjectSecurity(service, DACL_SECURITY_INFORMATION, sd))
{
   fail();
}

interface
......
function ConvertStringSecurityDescriptorToSecurityDescriptorA(StringSecurityDescriptor: LPCSTR;
  StringSDRevision: DWORD; var SecurityDescriptor: PSECURITY_DESCRIPTOR;
  SecurityDescriptorSize: PULONG): BOOL; stdcall;
{$EXTERNALSYM ConvertStringSecurityDescriptorToSecurityDescriptorA}
function ConvertStringSecurityDescriptorToSecurityDescriptorW(StringSecurityDescriptor: LPCWSTR;
  StringSDRevision: DWORD; var SecurityDescriptor: PSECURITY_DESCRIPTOR;
  SecurityDescriptorSize: PULONG): BOOL; stdcall;
{$EXTERNALSYM ConvertStringSecurityDescriptorToSecurityDescriptorW}
function ConvertStringSecurityDescriptorToSecurityDescriptor(StringSecurityDescriptor: LPCTSTR;
  StringSDRevision: DWORD; var SecurityDescriptor: PSECURITY_DESCRIPTOR;
  SecurityDescriptorSize: PULONG): BOOL; stdcall;
{$EXTERNALSYM ConvertStringSecurityDescriptorToSecurityDescriptor}
....

implementation
....
const
  advapi32 = 'advapi32.dll';
  {$IFDEF UNICODE}
  AWSuffix = 'W';
  {$ELSE}
  AWSuffix = 'A';
 {$ENDIF UNICODE}
function ConvertStringSecurityDescriptorToSecurityDescriptorA; external advapi32 name 'ConvertStringSecurityDescriptorToSecurityDescriptorA';
function ConvertStringSecurityDescriptorToSecurityDescriptorW; external advapi32 name 'ConvertStringSecurityDescriptorToSecurityDescriptorW';
function ConvertStringSecurityDescriptorToSecurityDescriptor; external advapi32 name 'ConvertStringSecurityDescriptorToSecurityDescriptor' + AWSuffix;

procedure TMyUpdateService.ServiceAfterInstall(Sender: TService);
var
  SA: TSecurityAttributes;
  Permission:String;
  SvcMgr,SvcHandle: SC_HANDLE;
  ServiceName:String;
begin
  Permission := 'D:' +
  '(A;;CCLCSWRPWPDTLOCRRC;;;SY)' + // default permissions for local system
  '(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)' + // default permissions for administrators
  '(A;;CCLCSWLOCRRC;;;AU)' + // default permissions for authenticated users
  '(A;;CCLCSWRPWPDTLOCRRC;;;PU)' + // default permissions for power users
  '(A;;RP;;;IU)'; // added permission: start service for interactive users

  SA.nLength := SizeOf(SA);
  SA.bInheritHandle := True;
  if not ConvertStringSecurityDescriptorToSecurityDescriptor(PWideChar(Permission),
                                                         1,
                                                         SA.lpSecurityDescriptor,
                                                         nil
                                                         ) then RaiseLastOSError;
{$IF DEFINED(CLR)}
  SvcMgr := OpenSCManager('', nil, SC_MANAGER_ALL_ACCESS);
{$ELSE}
  SvcMgr := OpenSCManager(nil, nil, SC_MANAGER_ALL_ACCESS);
{$ENDIF}
  if SvcMgr = 0 then RaiseLastOSError;
  try
    ServiceName :=self.Name;
    SvcHandle := OpenService(SvcMgr, PWidechar(ServiceName) , SERVICE_ALL_ACCESS);
    if SvcHandle = 0 then RaiseLastOSError;
    try
      SetServiceObjectSecurity(SVCHandle,DACL_SECURITY_INFORMATION,SA.lpSecurityDescriptor);
    finally
      CloseServiceHandle(SvcHandle);
    end;
  finally
    CloseServiceHandle(SvcMgr);
  end;


  LocalFree(HLOCAL(SA.lpSecurityDescriptor));
end;