Create a file to import users or groups in macOS Server
You can create a character-delimited file by using Workgroup Manager, or by using dsexport to export accounts in the LDAP directory of an Open Directory master. You can also create a character-delimited file manually by using a script, or by using a database or spreadsheet app.
The first record in the file, the record description, describes the format of each account record in the file. There are three options for the record description:
Write a full record description
Use the shorthand
StandardUserRecordUse the shorthand
StandardGroupRecord
The other records in the file describe user or group accounts, encoded in the format described by the record description. A line in a character-delimited file that begins with # is ignored during importing.
Write a record description
The record description specifies the fields in each record in the character-delimited file, specifies the delimiting characters, and specifies the escape character that precedes special characters in a record.
Encode the record description using the following elements in the order specified, separating them with a space:
End-of-record indicator (in hex notation)
Escape character (in hex notation)
Field separator (in hex notation)
Value separator (in hex notation)
Type of accounts in the file (
dsRecTypeStandard:UsersordsRecTypeStandard:Groups)Number of attributes in each account record
List of attributes
For user accounts, the list of attributes must include the following, although you can omit UID and PrimaryGroupID if you specify a starting UID and a default primary group ID when you import the file:
RecordName (the user’s short name)
Password
UniqueID (the UID)
PrimaryGroupID
RealName (the user’s full name)
You can also include:
UserShell (the default shell)
NFSHomeDirectory (the path to the user’s home folder)
Other user data types, described in Open Directory Administration
For group accounts, the list of attributes must include:
RecordName (the group name)
PrimaryGroupID (the group ID)
GroupMembership
The following is an example of a record description:
0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 7RecordName Password UniqueID PrimaryGroupIDRealName NFSHomeDirectory UserShellThe following is an example of a record encoded using the previous description:
anne:Adl47E$:408:20:A. Johnsons, M.D.:/Network/Servers/somemac/Homes/anne:/bin/cshThe record consists of values, delimited by colons. Use a double-colon (::) to indicate that a value is missing.
Note: The colon (:) is the field separator. If there’s a colon in the description of an attribute, use the backslash (\) escape character to indicate that the colon shouldn’t be treated as a delimiter. If the field separator is anything other than a colon, the escape character isn’t needed.
Before importing user accounts, remember to manually set passwords or set default passwords to a known value. After importing user records, you can set up a password policy that requires users to change their password at first login.
Passwords cannot be exported using Workgroup Manager or any other method.
Use the StandardUserRecord shorthand
When the first record in a character-delimited import file contains StandardUserRecord, the following record description is assumed:
0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 7RecordName Password UniqueID PrimaryGroupIDRealName NFSHomeDirectory UserShellAn example user account looks like this:
anne:Adl47E$:408:20:A. Lo, M.D.:/Network/Servers/somemac/Homes/anne:/bin/cshUse the StandardGroupRecord shorthand
When the first record in a character-delimited import file contains StandardGroupRecord, the following record description is assumed:
0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Groups 4RecordName Password PrimaryGroupID GroupMembershipThe following is an example of a record encoded using the description:
students:Ad147:88:johnson,miller,clark,chen,wong