diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..dd16570a6ba621615521ec3042f1b243ce86d2f1
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1 @@
+users: []
diff --git a/files/etc_ansible_facts_d_users_sh b/files/etc_ansible_facts_d_users_sh
new file mode 100644
index 0000000000000000000000000000000000000000..4b4c4433c0e715d78bc0996583386f6d3b730579
--- /dev/null
+++ b/files/etc_ansible_facts_d_users_sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+echo "[" >/etc/ansible/facts.d/users.fact
+cat /etc/passwd | perl -aF: -ne 'print "{\"name\": \"",$F[0],"\",\"home\": \"",$F[5],"\"},\n" if $F[2] > 499' >>/etc/ansible/facts.d/users.fact
+echo "0]" >>/etc/ansible/facts.d/users.fact
diff --git a/tasks/cleanup.yml b/tasks/cleanup.yml
new file mode 100644
index 0000000000000000000000000000000000000000..cf849132ff0d97e5e276ca8a654772b23abf8aeb
--- /dev/null
+++ b/tasks/cleanup.yml
@@ -0,0 +1,35 @@
+##
+# Task file in Ansible role "users" to securely lock deprecated user accounts.
+#
+
+---
+# file: cleanup.yml
+
+- name: "Make sure, the directory exists"
+  file: dest='/etc/ansible/facts.d'
+        state=directory
+        owner=root
+        group=root
+        mode=775
+- name: "Copy the extract script"
+  copy: src='etc_ansible_facts_d_users_sh'
+        dest='/etc/ansible/facts.d/users.sh'
+        owner=root
+        group=root
+        mode=755
+- name: "Extract user list"
+  shell: /etc/ansible/facts.d/users.sh
+- name: "Gather facts"
+  setup:
+- name: "Unlock legitimate user accounts"
+  command: usermod --unlock {{item.name}}
+  with_items: ansible_local.users
+  when: item.name is defined and item.name in users
+- name: "Lock deprecated user accounts"
+  command: usermod --lock {{item.name}}
+  with_items: ansible_local.users
+  when: item.name is defined and item.name not in users
+- name: "Disable ssh keys for deprecated user accounts"
+  command: rm {{item.home}}/.ssh/authorized_keys
+  with_items: ansible_local.users
+  when: item.name is defined and item.name not in users
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d1075c27bb401c36c73061bb22a17e779742d8a0
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,14 @@
+##
+# Main task file in Ansible role "users" to manage user accounts on hosts.
+#
+
+---
+# file: main.yml
+
+- name: "Check requirements: is the user hash defined"
+  local_action: shell echo "There are no users defined"
+  when: not users
+  changed_when: false
+  failed_when: not users
+
+- include: cleanup.yml