Removing users not known to puppet
Here's an interesting one. Puppet takes the stance of ignoring things it doesn't know about. How would I run through the list of users on a machine and remove the ones not known to puppet? What has happened a couple of times is that someone has added users to a server which are then not managed.
This is not as dangerous as it seems as we run puppet in noop mode and have a central web server which requests authorisation before executing modifications. That way we have an audit trail of changes.
I have written custom facts to iterate the passwd and group files but would it be possible to generate resources from all those facts with present/absent being dependent on hiera details?