This could be a PITA but you could set the services to manual in your image, modify your logins script to start the service, and then create a security group that has access to start the service.
This way anyone that logs in that is part of the security group will have the service start via the login script. You would have to use either a logoff script to stop the services or use a power policy to make sure machines shutdown after a user logs off.