FYI. I ended up deleting /etc/shadow from my
template . I created an
extended object called etc_shadow_no_pass by using
the cut command to give me all the /etc/shadow fields except
field 2 ( encrpted password ) . Then, I added the
etc_shadow_no_pass extended object
to my existing template. Now I Snapshot and audit that template.