With the release of OS X Server for Yosemite, Apple retired Workgroup Manager, thus leaving us System Admins no GUI method of exporting users and groups out of the server.
The old Workgroup Manager tool gave us the ability to both export and import users / group records, the Server app can just import users.
But not all is lost. We have a bunch of command line tools that allow us to interact with the user directories. In particular we have the dsexport command.
dsexport allows us to export records from our user directories to compatible files that the Sever app can use.
The command has the following three main arguments:
- The path to the output file you wish to create
- The path to the OpenDirectory node that contains the records you wish to export
- The type of records we wish to export. For example, dsRecTypeStandard:Users or dsRecTypeStandard:Groups
There are a couple of additional arguments you can supply, which include the ability to filter certain attributes for each record you wish to exclude and also a list of records you wish to export.
So, here are a few examples of exporting users.
1. To export all users from the local directory to a file called “exportedUsers.out”
dsexport exportedUsers.out /Local/Default dsRecTypeStandard:Users
2. To export all users from the OpenDirectory LDAP node to a file called “exportedUsers.out”
dsexport exportedUsers.out /LDAPv3/127.0.0.1 dsRecTypeStandard:Users
By default, all users are exported, including system, accounts. There’s nothing stopping you from editing this file and removing any accounts you wish. However, you can supply a list of users you wish to export with the -r parameter.
3. To export any user whose name is richard or oliver from the OpenDirectory LDAP node to a file called “exportedUsers.out”
dsexport exportedUsers.out /LDAPv3/127.0.0.1 dsRecTypeStandard:Users -r richard , oliver
Here are a few examples of exporting group records.
1. To export all groups from the local directory to a file called “exportedGroups.out”
dsexport exportedGroups.out /Local/Default dsRecTypeStandard:Groups
2. To export just the admin and staff group from the OpenDirectory LDAP node to a file called “exportedGroups.out”
dsexport exportedGroups.out /LDAPv3/127.0.0.1 dsRecTypeStandard:Groups -r admin , staff
Once you have generated these files, you can then import them back into a new / replacement server if required.
- You can use the Server app and import the file using the GUI
- Or you can use the dsimport command line tool.
In its basic form, dsimport just requires:
- The path to the text file you wish to import
- The path to the directory node you wish to import into
As well as these basic two arguments, we also have some nice options to handle conflicts:
O overwrite any records that have the same ids
M Merge import date with existing records, or create the record if it does not exist
I Ignore records that have conflicting ids
So to reimport our file, but ignore records that already exist we could use:
dsimport exportedUsers.out /LDAPv3/127.0.0.1 I
Thanks for reading, I hope that this blog is of some use.