A Login token is active for 10 sessions (1 hour each). Then it is quarantined for 27 days and not available to be used until that time expires.
You setup users as either login pass users or named users. When a user is setup with a login pass logs in they grab an available 1 hour session if there are any.available. You can't really specify that a user can only have 5 hours. They can login as many times as they want as long as there are tokens available. So the danger here is that you set someone up with login pass and they end up using a lot of your tokens if they all of a sudden become active users. So you have to monitor usage.
I don't see where you can allocate the tokens to a specific user group. Just allocate them for the entire system.