If you have an SIS, you can export usernames into a CSV of everyone you want to lock out. Then you throw in a 2nd column called "auth" so you can change their authentication method to "nologin" -- this will prevent them from logging in once you upload that csv to the " Site administration - Users - Accounts - Upload users" section of your site. When you're ready to 'unlock them', use the same CSV but use "manual" instead of "nologin".