Puppet and Virtual User Creation

I have been using Puppet for more and more admin tasks, and expanding the complexity of what I am doing. Currently, I am doing just about everything in the puppet config files, but am planning on starting to use ENC (initially through Puppet Dashboard, possibly moving to The Foreman). I didn't love the way I was managing users with Puppet, and am in the process of revamping it. I had really needed to virtualize user creation, so that things became manageable. To that end, I found Scott Lowe's Blog on Puppet Account Management, which got me 90% of where I wanted to go. The trick I still wanted to perform was to set an initial password, but not to reset their password after they change it. I had an idea of how to do this using Subscribe, and that at least seems to be working well initially.

define intusers::virtual ($uid,$realname,$pass) {

  user { $title:
    ensure            =>  'present',
    uid               =>  $uid,
    gid               =>  $title,
    shell             =>  '/bin/bash',
    home              =>  "/home/${title}",
    comment           =>  $realname,
#    password          =>  $pass,
    password_max_age => '90',
    password_min_age => '0',
    groups     => ['sudo'],
    managehome        =>  true,
    require           =>  Group[$title],
  }
  group { $title:
    gid               =>  $uid,
  }

  exec { "/usr/sbin/usermod -p \'$pass\' $title":
    refreshonly => true,
    subscribe => User[$title],
    #    logoutput => true,
  }