It since became better thanks to a new feature from SAP -> as of release 7.40 you can migrate the protected admins and user groups to security policies (see transaction SECPOL).
You can then use dynamic RZ11 parameter login/server_login_restriction to block all types of logins without having to lock / unlock each user.
This also means that you can lock users based on logon groups (appserver instance parameters) or system wide and client independently, without any performance problems.
Cheers,
Julius