We declare all our users as virtual resources. E.g.:

@user { 'belmin':
    uid => 2001
    comment => 'Belmin Fernandez',
    groups => ['sysadmins'],

Sometimes we temporarily realize a user for a node:

node web1 {
    realize User['belmin']

I am investigating ways to ensure that users that are not realized in the node do not exist on that server. The first way that comes to mind is doing this when the temporary realize is removed:

node web1 {
    User <| title == 'belmin' |> {
       ensure => absent,

However, that could easily be accidentally omitted by someone when making the removal of the temporary realize. Any other more elegant suggestions?

Belmin Fernandez
  • 10,629
  • 26
  • 84
  • 145

2 Answers2


Puppet has a means to remove all users that are not explicitly managed. This includes virtual users that are not getting realized.

resources {
        purge => true

This ignores system users with UIDs below 500 (or 1000 for Debian and some BSDs). It usually does the right thing. Needless to say, this should be used with great caution.

Felix Frank
  • 3,063
  • 1
  • 15
  • 22

While writing the question, thought of doing something like this in a class:

class our_users {
    user { 'belmin':
        ensure  => absent,
        uid     => 2001
        comment => 'Belmin Fernandez',
        groups  => ['sysadmins'],

And then, in the node:

node web1 {
    include our_users
    User <| title == 'belmin'|> {
        ensure => present,

node web2 {
    include our_users

Then, any node that does not have the user realized and the ensure attribute overwritten will have that user ensured as absent.

I'm not completely certain this will work but putting it out there while I test it in case there's a weakness/issue with it that I do not spot.

Belmin Fernandez
  • 10,629
  • 26
  • 84
  • 145