diff --git a/etc/kayobe/ansible/maintenance/cis.yml b/etc/kayobe/ansible/maintenance/cis.yml
index e73666755..c52918f55 100644
--- a/etc/kayobe/ansible/maintenance/cis.yml
+++ b/etc/kayobe/ansible/maintenance/cis.yml
@@ -20,16 +20,26 @@
         state: present
       when: ansible_facts.distribution == 'Ubuntu'
 
+    - name: Gather passwd entries
+      ansible.builtin.getent:
+        database: passwd
+      become: true
+
     - name: Ensure service accounts have no expiry options set
       # This is to workaround an issue where we set the expiry to 365 days on kayobe
       # service accounts in a previous iteration of the CIS benchmark hardening
       # defaults. This should restore the defaults and can eventually be removed.
-      ansible.builtin.command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
+      ansible.builtin.user:
+        name: "{{ item }}"
+        password_expire_min: 0
+        password_expire_max: 99999
+        password_expire_warn: 7
+        expires: -1
       become: true
-      changed_when: false
-      with_items:
+      loop:
         - "{{ kayobe_ansible_user }}"
         - "{{ kolla_ansible_user }}"
+      when: item in ansible_facts.getent_passwd
 
 - name: Security hardening
   hosts: cis-hardening
diff --git a/releasenotes/notes/cis-overcloud-non-kolla-hosts-62a00002451e9f4d.yaml b/releasenotes/notes/cis-overcloud-non-kolla-hosts-62a00002451e9f4d.yaml
new file mode 100644
index 000000000..339fe93fd
--- /dev/null
+++ b/releasenotes/notes/cis-overcloud-non-kolla-hosts-62a00002451e9f4d.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    CIS hardening playbook skips service accounts that do not exist on the host
+    (e.g. kolla on non-Kolla/Ceph-only nodes) to avoid errors.