Forge Home


Manage local users, setting an initial password and letting the user manage it as needed afterward.


8,619 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 2.0.3 (latest)
  • 2.0.1
  • 2.0.0-rc0 (deleted)
  • 1.0.8
  • 1.0.7
  • 1.0.6
  • 1.0.5
  • 1.0.4
  • 1.0.3
  • 1.0.2
  • 1.0.1
  • 1.0.0
  • 0.9.4
  • 0.9.3
  • 0.9.2
  • 0.9.0
released Dec 27th 2019
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >=4.6.0 <7.0.0
  • , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'rnelson0-local_user', '2.0.3'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add rnelson0-local_user
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install rnelson0-local_user --version 2.0.3

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



rnelson0/local_user — version 2.0.3 Dec 27th 2019


Build Status Puppet Forge Puppet Forge Downloads

Table of Contents

  1. Overview
  2. Usage - Configuration options and additional functionality
  3. Caveats and Clarifications


This module provides a defined type, local_user, that wraps the puppet 'user' resource type with validation. You may also provide a initial password that is set only when the user has no password, as a brand new 'user' resource puppet creates will have. This allows users to maintain their own passwords after creation.


Resource Definition

Create a local user by providing at a minimum the user name, state, groups, and initial password:

local_user { 'rnelson':
  state            => 'present',
  groups           => ['group1', 'group2'],
  password         => 'encryptedstring',

You may also provide the shell, home directory, password max age, the last change date (YYYY-MM-DD or number of days since Jan 1, 1970), and an array of ssh keys. These values default to /bin/bash, /home/, 90 days, 0 days, and null, respectively.

local_user { 'rnelson':
  state            => 'present',
  shell            => '/bin/bash',
  home             => '/home/rnelson0',
  managehome       => true,
  comment          => 'Rob Nelson',
  groups           => ['rnelson0', 'wheel'],
  gid              => 'rnelson0'
  manage_groups    => true,
  last_change      => '2015-01-01',
  password         => 'encryptedstring',
  password_max_age => 1000,
  ssh_authorized_keys => ['ssh-rsa AAAA...123 user@host'],

Starting with v1.0.8, a new local_user::windows type is available. The user can be given access to the administrator or remote desktop user groups with the parameters $admin (default false) and $allow_rdp (default true). It shares the common parameters of $state, $password, $groups, and $comment. Unlike the unix version of local_user, the password is unencrypted and will be reset on every run.

local_user::windows { 'bob' :
  state     => present,
  password  => 'Bobbo1234',
  groups    => ['Administrators'],
  comment   => 'Bob is Cool',
  allow_rdp => true,

Via Hiera

You can also store your user information in hiera and use the create_resources() function to create the users. The user(s) can be defined in the appropriate level(s) of your hierarchy, for example at the least-specific level, global.yaml:

# global.yaml
    state:            'present'
    home:             '/home/rnelson0'
    managehome:       true
    comment:          'Rob Nelson'
      - 'rnelson0'
      - 'wheel'
    gid:              'rnelson0'
    manage_groups:    true
    last_change:      '2015-01-01'
    password:         'encryptedstring'
    password_max_age: '1000'
      - 'ssh-rsa AAAA...123 user@host'

Add code similar to the following black to a common class, such as profile::base. The result of the hiera lookup for local_users, using your hiera merge strategy, will be discovered and added to the node's manifest.

# Puppet 3
# profile/manifests/base.pp
class profile::base {
  # Your base profile goes here

  $local_users = hiera('local_users', undef)
  if ($local_users) {
    create_resources('local_user', $local_users)
# Puppet 4
class profile::base {
  # Your base profile goes here

  $user_defaults = {
    state => 'present',
  $local_users = hiera('local_users', undef)
  $local_users.each |$user, $attributes| {
        * => $user_defaults;
        * => $attributes,

This example is functionally equivalent to the second Resource Definition example.

Caveats and Clarifications

  • When no $comment is provided, the comment field will contain the username.

  • If the specified groups do not exist and or not created elsewhere in your catalog (or ordered incorrectly), you will receive errors preventing the user from being created. Set the parameter manage_groups to true and the groups will be managed and ordered within local_user. The error looks like:

Error: Could not create user rnelson0: Execution of '/usr/sbin/useradd -c Rob Nelson -g rnelson0 -G wheel
-d /home/rnelson0 -s /bin/bash -m rnelson0' returned 6: useradd: group 'rnelson0' does not exist