Create a GPO and set the service permissions there:
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> System Services
You can set the startup type and edit the ACL of any service there. Just add your AD Group to the list and allow service start and service stop. Now link the GPO to the workstations and server where you want the permissions to apply.