Yes, this should be possible. If you use LDAP as back end auth protocol, you can use the "memberof" attribute to only allow users part of specific AD group to have access to VPN. Users would be assigned a specific Group-policy using LDAP attribute maps. The rest will fall into a group-policy with "simultaneous-logins" set to 0. You can use the example given in this doc:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc15