Managing User Photos in Active Directory Using Thumbnail Photo Attribute

Active Directory user accounts have a special thumbnailPhoto attribute in which a user’s photo can be stored as binary data. Outlook, OWA, Lync/Skype for Business, SharePoint (and other apps) can use the photo stored in this AD attribute as the user’s avatar in their interface. In addition, these photos can be used as Windows user account picture.

In this article, we will show you how to add (upload) a user’s photo to Active Directory using PowerShell, OWA or the Active Directory Users and Computers snap-in, as well as how to save (export) the thumbnailPhoto attribute value to a jpeg file.

ThumbnailPhoto Attribute in Active Directory

The main aspects and restrictions of using user photos in AD:

  • The maximum photo size in the thumbnailPhoto attribute of the user object is 100 KB. However, there is a general recommendation to use a graphic JPEG/BMP file format up to 10 KB and 96×96 pixels in size as user’s photo in AD;
  • To display a photo in Outlook 2010 or newer, at least a version of the Windows Server 2008 Active Directory schema is required;
  • If there are a lot of user photos in Active Directory, the replication traffic between domain controllers increases due to the growth of the NTDS.DIT file (AD database);
  • Users can change their own photo in AD. If you need to delegate the ability to upload photos to other users (e. g., HR department), you need to use the AD delegation wizard to grant the group the “Write thumbnailPhoto” permission to the OU with user accounts.

How to Add/Update a User Photo in AD Using PowerShell?

To add (upload) a user photo to Active Directory using PowerShell, you need to use the Active Directory Module for Windows PowerShell (which is part of the RSAT administration tools). First, you need to convert the image file to a byte array, and then use the Set-ADUser cmdlet to set it as the value of the thumbnailPhoto attribute.

Import-Module ActiveDirectory
$photo = [byte[]](Get-Content C:\PS\jkuznetsov_photo.jpg -Encoding byte)
Set-ADUser jkuznetsov -Replace @{thumbnailPhoto=$photo}

The same thing in PowerShell one-liner:

Set-ADUser jkuznetsov -Replace @{thumbnailPhoto=([byte[]](Get-Content "C:\ps\jkuznetsov_photo.jpg" -Encoding byte))}


After these commands have been executed, the user photo stored in Active Directory database will be displayed in Outlook, Lync/Skype, OWA, etc. (it may take some time till the end of AD replication and GAL update).

You can open the user’s properties in the Active Directory Users and Computers (ADUC) console, go to the Attribute Editor tab, and make sure the thumbnailPhoto attribute now contains a value.


User Photos Management in Exchange and Outlook Web Access

Exchange Management Shell supports the same feature of importing AD user photos. To do it, you can use Import-RecipientDataProperty cmdlet.

Note. The Import-RecipientDataProperty cmdlet in Exchange 2010 doesn’t allow to upload an image of more than 10 KB.

The EMS command to update a photo of the user jkuznetsov will look like this:

Import-RecipientDataProperty -Identity “jkuznetsov” -Picture -FileData ([Byte[]] $(Get-Content -Path “C:\PS\jkuznetsov_photo.jpg” -Encoding Byte -ReadCount 0))

EMS in Exchange 2013/2016 uses another cmdlet to manage user photos – Set-UserPhoto. The following commands are used to add a user’s photo in these versions of Exchange:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
$usrphotofile = ([Byte[]] $(Get-Content -Path "C:\PS\jkuznetsov_photo.jpg" -Encoding Byte -ReadCount 0))
Set-UserPhoto -Identity jkuznetsov -PictureData $usrphotofile -Confirm:$False
Set-UserPhoto -Identity jkuznetsov -Save -Confirm:$False

To remove a thumbnail photo from Active Directory, use the command:

Remove-UserPhoto -Identity jkuznetsov

Users can also change their profile photo themselves through Outlook Web Access (OWA). Click on your account in the upper right corner, select Edit information -> photo -> click the change button and specify the path to the jpeg file with the user photo.

How to Import User Photos to AD in Bulk with PowerShell?

You can bulk upload and manage users’ photos to Active Directory with PowerShell. Create a CSV file that contains a list of user accounts and the corresponding photo filenames. You can use the coma-separeted format of the import.csv file:

AD_username, Photo
asmith, C:\PS\asmith.jpg
klinton@adatum.com, C:\PS\klinton.jpg
jkuznetsov, C:\PS\jkuznetsov.png

The following PowerShell one-liner command will get the list of users from a CSV file and update (upload) their photos to Active Directory:

Import-Csv C:\PS\import.csv |%{Set-ADUser -Identity $_.AD_username -Replace @{thumbnailPhoto=([byte[]](Get-Content $_.Photo -Encoding byte))}}

How to Export a User Photo from Active Directory to a JPG File?

You can save an AD user photo to a graphic file. To do it, select the user using the Get-ADUser cmdlet:
$ADuser = Get-ADUser jkuznetsov-Properties thumbnailPhoto

And save the contents of thumbnailPhoto attribute to a JPG file:

$ADuser.thumbnailPhoto | Set-Content c:\PS\jkuznetsov.jpg -Encoding byte

Using the following PowerShell script, you can export photos of all users from a specific container (OU) to files:

Import-Module ActiveDirectory
$ADusers= Get-ADUser -Filter * -SearchBase "OU=Users,OU=Paris,DC=woshub,DC=com" -Properties thumbnailPhoto | ? {$_.thumbnailPhoto}
foreach ($ADuser in $ADusers) {
$name = $ADuser.SamAccountName + ".jpg"
$ADuser.thumbnailPhoto | Set-Content $name -Encoding byte
}

And finally, there are some useful queries. The first one allows to select all users having a photo in the thumbnailPhoto AD attribute:

Get-ADUser -Filter * -properties thumbnailPhoto | ? {$_.thumbnailPhoto} | select Name

The second allows you to find users without a photo:

Get-ADUser -Filter * -properties thumbnailPhoto | ? {(-not($_.thumbnailPhoto))} | select Name

Adding a Photo Tab to the Active Directory Users & Computers Console

If you don’t like PowerShell, you can use the graphical (GUI) tools to manage photos of Active Directory users.

There are a number of third-party tools that allow to set photos for AD users in more convenient graphic editors. However, the functionality of such tools is redundant, and there are certain risks of using third-party software to edit AD.

I most often suggest using the small library AdExt.dll, which adds a separate tab for adding a photo directly to the ADUC console.

You can download the AdExt.dll library here — AdExt-dll-ADUC.zip

To install the library, run the elevated command prompt and go to the directory with the .Net Framework binaries:

  • For x86 Windows: cd %WinDir%\Microsoft.NET\Framework\v2.0.50727
  • For x64 Windows: cd %WinDir%\Microsoft.NET\Framework64\v4.0.30319
The paths may differ depending on the versions of the .Net Framework installed.

Install the library with the command:

InstallUtil.exe c:\ps\ad\AdExt.dll



Restart the ADUC (dsa.msc) console, then open the properties of any user. Please note that a new Photo tab has appeared, where you can add or remove a user’s photo.



To remove (unregister) the AdExt.dll library, run the command:

InstallUtil.exe /u c:\ps\ad\AdExt.dll

There are two sections on the Photo tab:

  • When uploading a photo via the thumbnailPhoto attribute, the photo is automatically reduced to a resolution of 96×96, and the quality is selected so that the size is no more than 10 Kb.
  • If you upload a picture via jpegPhoto, then the image quality is changed so that the photo size is less than 100 Kb.

Post a Comment

0 Comments