Manage local users, setting an initial password and letting the user manage it as needed afterward.

Rob Nelson



1,728 latest version

5.0 quality score

Version information

  • 2.0.3 (latest)
  • 2.0.1
  • 2.0.0-rc0
  • 1.0.8
  • 1.0.7
  • 1.0.6
  • 1.0.5
  • 1.0.4
  • 1.0.3
  • 1.0.2
  • 1.0.1
  • 1.0.0
  • 0.9.4
  • 0.9.3
  • 0.9.2
  • 0.9.0
released Dec 27th 2019
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >=4.6.0 <7.0.0
  • RedHat

Start using this module


rnelson0/local_user — version 2.0.3 Dec 27th 2019


Build Status Puppet Forge Puppet Forge Downloads

Table of Contents

  1. Overview
  2. Usage - Configuration options and additional functionality
  3. Caveats and Clarifications


This module provides a defined type, local_user, that wraps the puppet 'user' resource type with validation. You may also provide a initial password that is set only when the user has no password, as a brand new 'user' resource puppet creates will have. This allows users to maintain their own passwords after creation.


Resource Definition

Create a local user by providing at a minimum the user name, state, groups, and initial password:

local_user { 'rnelson':
  state            => 'present',
  groups           => ['group1', 'group2'],
  password         => 'encryptedstring',

You may also provide the shell, home directory, password max age, the last change date (YYYY-MM-DD or number of days since Jan 1, 1970), and an array of ssh keys. These values default to /bin/bash, /home/, 90 days, 0 days, and null, respectively.

local_user { 'rnelson':
  state            => 'present',
  shell            => '/bin/bash',
  home             => '/home/rnelson0',
  managehome       => true,
  comment          => 'Rob Nelson',
  groups           => ['rnelson0', 'wheel'],
  gid              => 'rnelson0'
  manage_groups    => true,
  last_change      => '2015-01-01',
  password         => 'encryptedstring',
  password_max_age => 1000,
  ssh_authorized_keys => ['ssh-rsa AAAA...123 user@host'],

Starting with v1.0.8, a new local_user::windows type is available. The user can be given access to the administrator or remote desktop user groups with the parameters $admin (default false) and $allow_rdp (default true). It shares the common parameters of $state, $password, $groups, and $comment. Unlike the unix version of local_user, the password is unencrypted and will be reset on every run.

local_user::windows { 'bob' :
  state     => present,
  password  => 'Bobbo1234',
  groups    => ['Administrators'],
  comment   => 'Bob is Cool',
  allow_rdp => true,

Via Hiera

You can also store your user information in hiera and use the create_resources() function to create the users. The user(s) can be defined in the appropriate level(s) of your hierarchy, for example at the least-specific level, global.yaml:

# global.yaml
    state:            'present'
    home:             '/home/rnelson0'
    managehome:       true
    comment:          'Rob Nelson'
      - 'rnelson0'
      - 'wheel'
    gid:              'rnelson0'
    manage_groups:    true
    last_change:      '2015-01-01'
    password:         'encryptedstring'
    password_max_age: '1000'
      - 'ssh-rsa AAAA...123 user@host'

Add code similar to the following black to a common class, such as profile::base. The result of the hiera lookup for local_users, using your hiera merge strategy, will be discovered and added to the node's manifest.

# Puppet 3
# profile/manifests/base.pp
class profile::base {
  # Your base profile goes here

  $local_users = hiera('local_users', undef)
  if ($local_users) {
    create_resources('local_user', $local_users)
# Puppet 4
class profile::base {
  # Your base profile goes here

  $user_defaults = {
    state => 'present',
  $local_users = hiera('local_users', undef)
  $local_users.each |$user, $attributes| {
        * => $user_defaults;
        * => $attributes,

This example is functionally equivalent to the second Resource Definition example.

Caveats and Clarifications

  • When no $comment is provided, the comment field will contain the username.

  • If the specified groups do not exist and or not created elsewhere in your catalog (or ordered incorrectly), you will receive errors preventing the user from being created. Set the parameter manage_groups to true and the groups will be managed and ordered within local_user. The error looks like:

Error: Could not create user rnelson0: Execution of '/usr/sbin/useradd -c Rob Nelson -g rnelson0 -G wheel
-d /home/rnelson0 -s /bin/bash -m rnelson0' returned 6: useradd: group 'rnelson0' does not exist