Use usermod --expiredate 1 username instead of passwd -l username.
Passwd -l does not disable an account, just makes the password unusable, but the user could still login using an ssh key or other auth meth.
By the way, I know a lot of admins who made this mistake 😉