I just had a look at the config file for my display manager (I use slim) and there is a setting for the login command. It is set to:
login_cmd exec /bin/bash -login /etc/X11/Xsession %session
I wonder if you could change it to something like:
login_cmd exec /bin/bash -login (sudo /usr/local/bin/generic_user /etc/X11/Xsession %session)
Where you have setup sudo to allow the specific users to run /usr/local/bin/su_generic without entering a password.
/usr/local/bin/su_generic would be a script containing something like.
Where "generic" is the user that everyone will be using. I think this should probably satisfy the legal requirements since the su call is logged: so you can see which individual user is logged in as the generic user. The reason for using the script instead of a direct "sudo su" is simply because you don't want to give passwordless access to the "su" command for your users.