For what its worth…
When Mac OS X 10.6.0 server was released, the matching Apple Manuals - specifically the User Management manual as per
http://images.apple.com/server/macosx/docs/UserManagementv10.6.pdf on page 67 included a change that said it was now
allowed to have a first shortname that contains a fullstop/period.
As discussed here this is desirable in order to match many company email address formats like john.doe@example.com
For Mac OS X 10.4, and 10.5 you could only use a fullstop in additional (second, third, etc.) shortnames and not the first. This meant that a user would have needed at a minimum two shortnames, and therefore would have had as a result two email addresses (one for each shortname) and therefore would inevitably receive more spam.
Workgroup Manager in Mac OS X 10.6.1 Server briefly broke this, but Mac OS X 10.6.2 Server restored the ability to define a fullstop in the first (and only) shortname.
In preparation for replacing our current mail server with one that integrates with Open DIrectory for authentication, I am now changing users existing single shortnames, to ones like john.doe
I can confirm another Workgroup Manager bug that is related to this. While it is possible to change most of the shortname related information in Workgroup Manager using the Inspector tab, you need to do an extra step to force the updating of the users kerberos record. This is done by in Workgroup Manager changing the password type from "Open Directory" to "Crypt", and then back to "Open Directory". The change from "Crypt" to "Open Directory" should create a new kerberos record (Crypt password type accounts do not have a Kerberos record). However Workgroup Manager included with Mac OS X 10.6.2, 10.6.1, 10.6.0 and Mac OS X 10.5.x do not create the Kerberos record as they should. This does work in Workgroup Manager included with 10.4.11, so I use a 10.4.11 machine to do this final step.
I then end up with an existing account that has the sole shortname changed to john.doe format and still allows the user to use Kerberos and single sign-on.
Note: You can in Workgroup Manager 10.6.2 create brand new user accounts with a john.doe type shortname straight away and it does create a Kerberos record. It also seems that importing a text file containing user accounts in to Workgroup Manager 10.6.x or 10.5.x also suffers from this bug as the imported accounts are also missing a kerberos record even though they are of password type Open Directory.