On POSIX, we have the capacity to purge non-system users not explicitly mentioned in puppet. We use this on servers to remove employees when they leave. We should have something similar for Windows. Unfortunately, this requires solving https://tickets.puppetlabs.com/browse/PUP-3662 and merging that upstream.
We won't be using puppet for anything that gets per-user accounts in the near future, so nothing to do here.