After more than a little trial and error, I've finally been able to do this. Here are the steps:
1. Create a RADIUS client (RADIUS standard) for your NCS.
2. Create a new network policy and populate as follows:
a. Grant Access in "Overview" Tab.
b. In the "Conditions" Tab, Add your AD user group in the "Windows Groups" field and add your NCS to thee "Client IPv4 Address" field.
c. In the "Settings" tab under RADIUS Attributes, add "Service-Type" with the value of "Administrative" (for admin type access) or "Login" (for user type access). Under "Vendor Specific" attributes, add "Cisco-AV-Pair" with a vendor of "Cisco". Now comes the boring bit. In the "Value" field you have to copy the "Task List" for the relevent user group, line by line (93 in total for the admin group), finishing with "NCS:virtual-domain0=ROOT-DOMAIN" (this last line is the bit that is different to WCS and caught me out).
3. One other thing which caught me out was that I had to allow ICMP in on the Windows Firewall on my NPS for this to work. I have no idea why but I was so pleased to finally get it working that I didn't care