This is the way to do it (although I find the following form less confusing):
@IsNotMember( "[ToolAdmin]"; @UserRoles )
Have you checked the "Enforce a consistent ACL across all replicas of this database" on the Advanced tab of the database ACL screen? It needs to be on.
If that's not the problem, you can test the contents of @UserRoles with :
Hope that helps....