Active DirectoryPowershell

Managing User Photos in Active Directory Using ThumbnailPhoto Attribute

By February 24, 2021No Comments

Active Directory user accounts have a special thumbnailPhoto attribute in which a user’s photo can be stored as binary data. Outlook, OWA, Lync/Skype for Business, SharePoint (and other apps) can use the photo stored in this AD attribute as the user’s avatar in their interface. In addition, these photos can be used as Windows user account picture.

In this post, we will show you how to add (upload) a user’s photo to Active Directory using PowerShell, OWA or the Active Directory Users and Computers snap-in, as well as how to save (export) the thumbnailPhoto attribute value to a jpeg file.

ThumbnailPhoto Attribute in Active Directory

The main aspects and restrictions of using user photos in AD:

  • The maximum photo size in the thumbnailPhoto attribute of the user object is 100 KB. However, there is a general recommendation to use a graphic JPEG/BMP file format up to 10 KB and 96×96 pixels in size as user’s photo in AD;
  • To display a photo in Outlook 2010 or newer, at least version of the Windows Server 2008 Active Directory schema is required;
  • If there are a lot of user photos in Active Directory, the replication traffic between domain controllers increases due to the growth of the NTDS.DIT file (AD database);
  • Users can change their own photo in AD. If you need to delegate the ability to upload photos to other users (e. g., HR department), you need to use the AD delegation wizard to grant the group the “Write thumbnailPhoto” permission to the OU with user accounts.

How to Add/Update a User Photo in AD Using PowerShell?

To add (upload) a user photo to Active Directory using PowerShell, you need to use the Active Directory Module for Windows PowerShell (which is part of the RSAT administration tools). First, you need to convert the image file to a byte array, and then use the Set-ADUser cmdlet to set it as the value of the thumbnailPhoto attribute.

Import-Module ActiveDirectory
$photo = [byte[]](Get-Content C:\PS\user_photo.jpg -Encoding byte)
Set-ADUser john.smith -Replace @{thumbnailPhoto=$photo}

The same thing in PowerShell one-liner:

Set-ADUser john.smith -Replace @{thumbnailPhoto=([byte[]](Get-Content "C:\ps\user_photo.jpg" -Encoding byte))}

powershell set (upload) user thumbnailPhoto to active directory

After these commands have been executed, the user photo stored in Active Directory database will be displayed in Outlook, Lync/Skype, OWA, etc. (it may take some time till the end of AD replication and GAL update).

You can open the user’s properties in the Active Directory Users and Computers (ADUC) console, go to the Attribute Editor tab, and make sure the thumbnailPhoto attribute now contains a value.

view thumbnailPhoto attribute value in active directory snapin

User Photos Management in Exchange and Outlook Web Access

Exchange Management Shell supports the same feature of importing AD user photos. To do it, you can use Import-RecipientDataProperty cmdlet.
Note. The Import-RecipientDataProperty cmdlet in Exchange 2010 doesn’t allow to upload an image of more than 10 KB.

The EMS command to update a photo of the user john.smith will look like this:

Import-RecipientDataProperty -Identity “john.smith” -Picture -FileData ([Byte[]] $(Get-Content -Path “C:\PS\user_photo.jpg” -Encoding Byte -ReadCount 0))

EMS in Exchange 2013/2016 uses another cmdlet to manage user photos – Set-UserPhoto. The following commands are used to add a user’s photo in these versions of Exchange:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
$usrphotofile = ([Byte[]] $(Get-Content -Path "C:\PS\user_photo.jpg" -Encoding Byte -ReadCount 0))
Set-UserPhoto -Identity john.smith -PictureData $usrphotofile -Confirm:$False
Set-UserPhoto -Identity john.smith -Save -Confirm:$False

To remove a thumbnail photo from Active Directory, use the command:

Remove-UserPhoto -Identity john.smith

Users can also change their profile photo themselves through Outlook Web Access (OWA). Click on your account in the upper right corner, select Edit information -> photo -> click the change button and specify the path to the jpeg file with the user photo.

outlook web app upload user photo

How to Import User Photos to AD in Bulk with PowerShell?

You can bulk upload and manage users’ photos to Active Directory with PowerShell. Create a CSV file that contains a list of user accounts and the corresponding photo filenames. You can use the coma-separeted format of the import.csv file:

AD_username, Photo
john.smith, C:\PS\john.smith.jpg
jane.doe, C:\PS\jane.doe.jpg
bill.gates, C:\PS\bill.gates.png

The following PowerShell one-liner command will get the list of users from a CSV file and update (upload) their photos to Active Directory:

Import-Csv C:\PS\import.csv |%{Set-ADUser -Identity $_.AD_username -Replace @{thumbnailPhoto=([byte[]](Get-Content $_.Photo -Encoding byte))}}

How to Export a User Photo from Active Directory to a JPG File?

You can save an AD user photo to a graphic file. To do it, select the user using the Get-ADUser cmdlet:
$ADuser = Get-ADUser john.smith -Properties thumbnailPhoto

And save the contents of thumbnailPhoto attribute to a JPG file:

$ADuser.thumbnailPhoto | Set-Content c:\PS\john.smith.jpg -Encoding byte

Using the following PowerShell script, you can export photos of all users from a specific container (OU) to files:

Import-Module ActiveDirectory
$ADusers= Get-ADUser -Filter * -SearchBase "OU=Users,OU=NYC,DC=contoso,DC=com" -Properties thumbnailPhoto | ? {$_.thumbnailPhoto}
foreach ($ADuser in $ADusers) {
$name = $ADuser.SamAccountName + ".jpg"
$ADuser.thumbnailPhoto | Set-Content $name -Encoding byte
}

And finally, there are some useful queries. The first one allows to select all users having a photo in the thumbnailPhoto AD attribute:

Get-ADUser -Filter * -properties thumbnailPhoto | ? {$_.thumbnailPhoto} | select Name

The second allows you to find users without a photo:

Get-ADUser -Filter * -properties thumbnailPhoto | ? {(-not($_.thumbnailPhoto))} | select Name

Adding a Photo Tab to the Active Directory Users & Computers Console

If you don’t like PowerShell, you can use the graphical (GUI) tools to manage photos of Active Directory users. There are a number of third-party tools that allow to set photos for AD users in more convenient graphic editors. However, the functionality of such tools is redundant, and there are certain risks of using third-party software to edit AD.

I most often suggest using the small library AdExt.dll, which adds a separate tab for adding a photo directly to the ADUC console.

You can download the AdExt.dll library here — AdExt-dll-ADUC.zip

To install the library, run the elevated command prompt and go to the directory with the .Net Framework binaries:

  • For x86 Windows: cd %WinDir%\Microsoft.NET\Framework\v2.0.50727
  • For x64 Windows: cd %WinDir%\Microsoft.NET\Framework64\v4.0.30319

The paths may differ depending on the versions of the .Net Framework installed.

Install the library with the command:

InstallUtil.exe c:\ps\ad\AdExt.dll

install adext.dll extension

Restart the ADUC (dsa.msc) console, then open the properties of any user. Please note that a new Photo tab has appeared, where you can add or remove a user’s photo.

aduc add/upload user photo via additional aduc tab

To remove (unregister) the AdExt.dll library, run the command:

InstallUtil.exe /u c:\ps\ad\AdExt.dll

There are two sections on the Photo tab:

  • When uploading a photo via the thumbnailPhoto attribute, the photo is automatically reduced to a resolution of 96×96, and the quality is selected so that the size is no more than 10 Kb.
  • If you upload a picture via jpegPhoto, then the image quality is changed so that the photo size is less than 100 Kb.

Leave a Reply