If a valid config.xml file for a user is placed in the root user folder, i.e. JENKINS_HOME/users/config.xml, it causes a nameless user to be created that does not appear anywhere in the UI and generally can't be managed. (You can access it via groovy script or by editing the xml but that seems to be about it).
In our case this file was created by a bug in a Chef recipe, but Chef bugs asside, it seems incorrect behavior for Jenkins pick up such a misplaced config file and created a nameless user from of it. Or is this intended behavior? If so this ticket should be used to document it somewhere and if not, it should be used to fix it.
For some background: This turns out to be the root cause of the issue reported in
JENKINS-29860. The initial AD error reported there was caused by having a nameless user with the same SSH key as a named user. (This lead to JENKINS-32534 being opened as well.) The nameless user was created because of a bug in the Chef recipe such that it created a config.xml file for our admin user in the root user folder JENKINS_HOME/users/config.xml instead of updating the intended existing file JENKINS_HOME/users/<admin-user>/config.xml.