I was able to finally accomplish what i wanted using ldap maps instead of dap.   

For anyone else using AD authentication on the ASA and wanting to give different levels of access to different groups of user, this is what I did.

We have several offices connected by lan to lan vpn tunnels that go into our datacenter; i created routes to all those offices, disabled NAT on the vpn traffic etc. I then created an access list including the all of the remote subnets so that when i work from home i can get into a domain controller located in Chicago, for example. But of course i don't want any agent who logs into anyconnect vpn to have access to every office.

I then created another access list for basic intranet traffic.

I created 2 group policies, one of the polices was tunneling only the intranet access list and the other one was tunneling the access list with all the subnets. It didn't seem to matter that only one of the group policies went to a connection profile.

I went into the ldap attribute map configuration under remote access vpn, AAA local users, ldap attribute map.

I clicked new of course. And the ldap attribute name is memberOf and the cisco attribute name is group-policy. Then click on mapping of attribute value, and put in your ldap attribute value - CN=Domain Users,OU=Groups,DC="ourdomain",DC=local - and under cisco attribute value I typed in the group policy with only the intranet standard access list. I then added a second mapping of ldap attribute value except this time I configured the domain admins and input my second group policy where I configured an access list including all subnets. CN=Domain Admins,OU=Groups,DC="ourdomain",DC=local.

You then go into your AAA server groups and make sure the ldap map you created is selected.

If you're having trouble finding the ldap attribute value for your domain, you can use dsquery against your dc to find it. That's what i did.

Hope this helps anyone. thanks