initial_password
Inspired by a customer wanting a way to create a user where we only set their password upon creation and don't manage it after that so they could presumably change it without restriction.
Big thanks to freiheit's post from 2012 for the exec: http://serverfault.com/questions/350230/how-can-i-have-puppet-only-set-password-when-creating-a-user