252 Appendix Importing and Exporting Account Information
Limitations for Importing and Exporting Passwords
When creating or overwriting records, you must reset passwords for user accounts with
Open Directory or shadow passwords. Importing passwords generally works if the
password is a plain-text string in the import file.
Additionally, you must set the AuthMethod attribute so Workgroup Manager can
import the password. Encrypted passwords in hash format in the import file can’t be
Passwords can’t be exported using Workgroup Manager or any other method. If you
import user accounts from an export file, remember to manually set passwords or set
default passwords to a known value.
Before exporting user accounts (or after importing them), you can set up a password
policy that requires users to change their password at first login. For instructions on
configuring password options, see “Choosing a Password Type and Setting Password
Options” on page 74.
Maintaining GUIDs When Importing from Earlier Versions of
Mac OS X Server
Globally unique identifiers (GUIDs) are used to verify user and group identity for ACL
permissions and to manage user membership in groups and hierarchical groups. When
you use Workgroup Manager or the dsimport tool to import users and groups created
on versions of Mac OS X Server earlier than v10.4, GUIDs are automatically assigned.
After upgrading or migrating your server to Mac OS X Server v10.5, back up your
accounts by exporting user and group accounts to ensure that all your accounts have
If you need to restore user or group accounts in the future, the generated export file
enables you to import users and groups with their GUIDs (as well as file permissions
and group memberships) intact.
If you lose user accounts and create new accounts with the same UID, GID, and short
names as the lost accounts, the replacement accounts have new GUIDs assigned. A
user’s new GUID won’t match the previous GUID, so the user won’t retain prior ACL
permissions or group memberships.
Similarly, if you import users or groups from a file that doesn’t include the GUID
attribute, Mac OS X Server assigns new GUIDs to every imported user and group.
To make sure that GUIDs and their relationship to specific users and groups remain the
same if you need to re-import users and groups, create a new export file on Mac OS X
Server v10.5 and use this file instead of the export file created with an earlier server