I would like to implement the following in my SF2/FOSUserBundle application.

The idea is to have users register themselves using a standard registration form. Then they are sent an email with a confirmation link. When the user opens the link, it validates their email address (important). But I'd like the user to not be enabled yet. It would require the action of an admin to enable the user.

I managed to have the email confirmation part, which is nice, but when the users open the confirmation link they are enabled right away ... Is there a way to change this behaviour.

What would be the best way to do that (I bet i'm not the first one to try) ?

you can override default UserChecker putting this as parameter:

// ACME/YourBundle/Resources/Config/services.yml
parameters:
    security.user_checker.class: ACME\YourBundle\Security\Core\User\UserChecker 

and write your class:

// ACME/YourBundle/Security/Core/User/UserChecker.php
namespace ACME\YourBundle\Security\Core\User\UserChecker;

use Symfony\Component\Security\Core\User\UserChecker as BaseCode;
use Symfony\Component\Security\Core\User\UserInterface;

class UserChecker extends BaseCode
{
    public function checkPreAuth(UserInterface $user)
    {
        // Your Business logic

        parent::checkPreAuth($user);
    }
}