is it RA vpn. what is your exact topology, like are you using ACS with Active Directory ( or some other LDAP).you can use TUNNEL-GROUP-Lock feature to lock the users to only one user group.
Are you using external group policy or local for VPN configuration.Secondly, about the mapping, you can always set DENY to the DEFAULT group. Because the order of the mapping will always ALLOW the REST of AD groups to be mappes to DEFAULT group of AC...
TACACS+ is better recomended, due to better accounting, authorization and the ENCRYPTION it uses for communication, where as RADIUS is plain/clear text algorithm.Since you are using TELNET which is total clear text, then using TACACS provides you som...
Why arent you using Cisco Secure ACS to make life much easier.. I can give you great help in the same scenario as you want but through Cisco Secure ACS.
TRY THIS>http://www.greyware.com/software/domainpassword/Domain Password is a 32-bit Windows NT4/2K/XP/2003/Vista CGI program to let users securely change their Windows Domain/Active Directory passwords using their web browser. Password change pages ...