From your suggestion, I installed ShadowPassword bundle, which seems to be a subset of the trusted system, because it removes encrypted passwords from the /etc/passwd file and puts them in...
I tried that, worked fine, helped me reach my objective, but then we realized that our backup solution, Symantec's BackupExec and its RALUS agent for Unix stopped working, as it is not compatible...
I understand, you think that is is a bad idea to not grant read authority to /etc/passwd. In fact, regular users are greeted with a menu of our application, they don't have access to the prompt.
...
No, the user is not uncommented, in fact we use it to run npui, the OpenSpool management interface. Also, all spooler processes (queues and brokers) are ran under spooladm.