You can do this by creating /etc/nologin file - this will prvent ALL users logging except for root. this file is remove when reboot or you can allow users to log back by deleting the file.
when we do maintenance we have is a script to disallow user from logging in to the db but still can get into the apps menu prompt. we have 2 scripts named putin_nologin & remove_nologin
putin_nologin is run b-4 maintenance the contain of the script is as simple as the below
cp symtem_down nologin_xxx , where xxx is the name db
after maintenance remove_nologin is run
rm nologin_xxx , where xxx is the name of the db
also you might want to expirement the Attributes 'login' in the /etc/security/user