If you are using ASA 8.x, then I recommend implementing DAP 9Dynamic Access Policyes) which allows to to control the session establishment (after successful AAA processing) using AAA controls from AD.
DAP#1 - allows clients to connect only if memmerOf= ENgineering, Employees
DAP#2- allows clients to connect only if memmerOf= Consultants
The resulting VPN policy=DAP access/authorizaiton attributes+any Radius/LDAP VSA+ASA Group Policy.
See details at DAP Deployment Guide https://supportforums.cisco.com/docs/DOC-1369 .
Regards,
Nelson