diff --git a/userlock.yml b/userlock.yml
new file mode 100644
index 0000000000000000000000000000000000000000..060cb2ea8454e585b29ec5e9365b1cf43e0d5810
--- /dev/null
+++ b/userlock.yml
@@ -0,0 +1,21 @@
+##
+# Ansible playbook to lock a user on all hosts
+#
+# NOTE: the user needs to be removed from the admin list as well, otherwise
+#     it gets created again during system maintenance.
+
+---
+# file: userlock.yml
+
+- name: "Lock user on all hosts"
+  hosts: "all"
+  sudo: yes
+  tasks:
+    - name: "Reset Passwd"
+      shell: usermod -L {{ lockuser_username }}
+    - name: "Remove Key"
+      authorized_key:
+        user={{ lockuser_username }}
+        key="{{ lookup('file', inventory_dir + '/files/keys/' + lockuser_username + '.d2s.pub') }}"
+        state=absent
+        exclusive=yes