To ensure that a local user exists but is locked (for example a service account) simply specify policy => "locked".
policy => "locked"
[%CFEngine_include_snippet(users_type.cf, ### Locked User BEGIN ###, ### Locked User END ###)%]