Badenough,
Do you use the GUI? In there, the last thing I do after I've created and applied a local user is to edit that user's properties. (Configure :: Remote Access VPN :: AAA Setup :: User :: Edit). That is where & when I set their privileges.
You are right that creating a new group-policy starts as the default policy. Once I've saved it, I then modify it and save it again.
Hope this helps.
Kmills