What is the recommended method to prepare Red Hat/CentOS 7 templates?

If I need to deploy Red Hat 7 from template, I would like to take the recommended steps to make my "golden image" clean. It should boot to the first boot prompt and guide the user through the typical steps.

In Red Hat 5/6, I followed the documentation provided by the vendor. However, I cannot find the equivalent for Red Hat 7. Specifically, touch /.unconfigured does not trigger the first boot setup.

9.3.1. Sealing a Linux Virtual Machine for Deployment as a Template

Summary
Generalize (seal) a Linux virtual machine before making it into a template. This prevents conflicts between virtual machines deployed from the template.

Procedure 9.6. Sealing a Linux Virtual Machine

Log in to the virtual machine. Flag the system for re-configuration by running the following command as root:

1. # touch /.unconfigured
2. Remove ssh host keys. Run:
   # rm -rf /etc/ssh/ssh_host_*
3. Set HOSTNAME=localhost.localdomain in /etc/sysconfig/network
4. Remove /etc/udev/rules.d/70-*. Run:
   # rm -rf /etc/udev/rules.d/70-*
5. Remove the HWADDR= and UUID= line from /etc/sysconfig/network-scripts/ifcfg-eth*.
6. Optionally delete all the logs from /var/log and build logs from /root.
7. Shut down the virtual machine. Run:
   # poweroff

Edit: Steps 1 & 7 can be combined by running sys-unconfig last. Or, have a look at virt-sysprep from libguestfs-tools-c which does much, much more.

 [user@hostname ~]$ virt-sysprep --list-operations
 abrt-data * Remove the crash data generated by ABRT
 bash-history * Remove the bash history in the guest
 blkid-tab * Remove blkid tab in the guest
 ca-certificates   Remove CA certificates in the guest
 crash-data * Remove the crash data generated by kexec-tools
 cron-spool * Remove user at-jobs and cron-jobs
 delete * Delete specified files or directories
 dhcp-client-state * Remove DHCP client leases
 dhcp-server-state * Remove DHCP server leases
 dovecot-data * Remove Dovecot (mail server) data
 firewall-rules   Remove the firewall rules
 firstboot * Add scripts to run once at next boot
 flag-reconfiguration   Flag the system for reconfiguration
 hostname * Change the hostname of the guest
 kerberos-data   Remove Kerberos data in the guest
 logfiles * Remove many log files from the guest
 lvm-uuids * Change LVM2 PV and VG UUIDs
 machine-id * Remove the local machine ID
 mail-spool * Remove email from the local mail spool directory
 net-hostname * Remove HOSTNAME in network interface configuration
 net-hwaddr * Remove HWADDR (hard-coded MAC address) configuration
 pacct-log * Remove the process accounting log files
 package-manager-cache * Remove package manager cache
 pam-data * Remove the PAM data in the guest
 password * Set root or user password
 puppet-data-log * Remove the data and log files of puppet
 random-seed * Generate random seed for guest
 rhn-systemid * Remove the RHN system ID
 rpm-db * Remove host-specific RPM database files
 samba-db-log * Remove the database and log files of Samba
 script * Run arbitrary scripts against the guest
 smolt-uuid * Remove the Smolt hardware UUID
 ssh-hostkeys * Remove the SSH host keys in the guest
 ssh-userdir * Remove ".ssh" directories in the guest
 sssd-db-log * Remove the database and log files of sssd
 tmp-files * Remove temporary files
 udev-persistent-net * Remove udev persistent net rules
 user-account   Remove the user accounts in the guest
 utmp * Remove the utmp file
 yum-uuid * Remove the yum UUID

Figured it out... You can't have any users other than 'root'. I had been using the user created the first time through the Initial Setup process. Logged in as root, userdel'd the user and rebooted -- Initial Setup worked.

Ah, I never create local users because I'm generally joining a domain. Figures.