that is almost exactly what I want, but it doesn't mention the use of AD groups. 

if you are a use in an AD group "special" use dhcp pool "special".  if you are in group "normal" in AD, then you get assigned to the "normal" dhcp pool. 

@tryingtofixit in the NPS policy, match on condition "AD user group" then configure those settings (ip pool) as per the guide. Create additional policy to match on different conditions and apply different settings (ip pool).

does the nps assigned dhcp-pool override what is in the group policy?

if I have ra-dhcp-pool in the group policy and my special AD is using -ra-special-dhcp pool will the special dhcp pool take precedence over the ra-dhcp-pool that everyone else will get? or is there somewhere in the group policy I need to define the "special" pool ?

@tryingtofixit attributes learnt from a RADIUS server are applied, as they have a higher priority than settings in a group policy. You don't need to specify the "specical" pool in the group policy, as per the guide above, its dynamically applied when the attribute is sent from the RADIUS server. You just need to configure the IP pool.

use Cert. map to assign different group-policy to user depend on CN
these group-policy will use AAA for auth and have different dhcp pool

MHM

use authz condition as AD group and authz result with CVPN3000/ASA/PIX7x-DHCP-Network-Scope = for ip from ms dhcp or CVPN3000/ASA/PIX7x-Address-Pools = for ip as backup from asa.

Do not forget for vpn address assigning priority.
You can set this like this:
# show run all | i vpn-addr-assign
vpn-addr-assign aaa
vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 60
ipv6-vpn-addr-assign aaa

ipv6-vpn-addr-assign local reuse-delay 60

local reuse-delay 60 tells to ASA wait 60 s for assinging ip address from local addr pool of ASA in case no reply by method aaa or dhcp.

BTW take attentation that asa is not able to use DHCPv6 option, just AAA or/and local.

So option vpn-addr-assign aaa as first and CVPN3000/ASA/PIX7x-DHCP-Network-Scope make toghether with autz condition rule and authz result all what you need.

To be honest option vpn-addr-assign dhcp is propably not need here, becuase it is just for dhcp relay agent from phisical ifaces of ASA, so not for RA, but I assume it is like this for this option, I am not sure, and Cisco does not care about proper and full documentation the difference between option aaa and dhcp. AAA is definitely need it for sure in this setup what you need, ISE, ASA, MS DHCP, AD security groups.

is there anything that shows how to do this using NPS on server 2019 or higher?. the screen shots and instructions don't even come close to what the NPS client presents. 

@tryingtofixit you cannot use the Cisco specific RADIUS VSA beginning with CPVN3000 prefix with Microsoft NPS (you can if you use CIsco ISE) You must manual specify the RADIUS vendor code and specific attribute, as per the example in the first reply above. The Cisco vendor ID will be 3076 and the RADIUS attribute number will differ depending on what value you want to send. Example - vendor attribute 61 = DHCP network scope or 217 = address-pool. The link in the first reply provides instructions how to configure this, just change the attribute number accordingly. The list of codes is https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/general/asa-general-asdm/aaa-radius.html

yes, I understand about the ID codes and attrib.  but the wordpress URL example is like asking a Window 95 using their gui to setup things in windows 11. Not one screen shot in the NPS microsoft radius example provided even shows how to get to that point in NPS 2019. guessing this nps in the URL is from nps 2012.  That is what I am trying t find. how to I access Vendor codes and attribs in NPS 2019 and higher. The NPS interface has completely changed since 2012.  Google hasn't been much help.  thanks