I recently added to HEAD tests about users and groups definitions (patch here).
It is now enabled by default on
puppetresources, which might not be a great idea (let me know if you would rather have a switch).
The basic idea is that some built-in types take user and group names as parameters. There is no check for existence during catalog compilation (and there can’t be meaningful tests anyway), so you can get catalog application failures. This particular test (named
usersGroupsDefined) checks that all the groups and users used in the
user types are defined somewhere.