Here's what I would use:
First, create a User Defined Group like this one:
Then, in your rule for logins, make is something like this:
(This is an awful rule, you'd probably want some NOT statements to trim out the Windows NTSYSTEM accounts and other corporate accounts that legitimately are going to login to lots of machines at once)
Then your LogOff Rule would look like:
(Again, awful for [see previous reasons])
And the rule in the middle would be something like:
