pictures from active directory

Certainly, Active Directory is more than just a tool for managing user accounts; it’s a comprehensive platform for organizational information.

One of its less well-known but impactful features is the ability to store and update user profile pictures, which are visible across the entire domain.

In this guide, I’ll explore why this feature is beneficial, walk you through the steps to implement it, and offer some expert advice to optimize its utility.

If you’re a network administrator keen on maximizing the functionalities of your Active Directory, this guide is designed with you in mind.

Introduction to Active Directory and Its Relevance in Modern Technology

Active Directory (AD) is more than just a directory service; it’s a cornerstone of modern IT infrastructure. Managing user information, including pictures, has never been more vital in an era where personalization and security are paramount.

From laptops to wearables, AD’s reach extends across various platforms, providing a unified and secure way to handle user data.

Understanding Active Directory

Active Directory is a Microsoft product that organizes and provides access to information in an operating system’s directory. It’s like a digital phonebook, storing information about members of a network, including devices and users.

The Importance of Pictures in AD

In a world where visual identity matters, pictures in AD are not just aesthetic elements. They play a crucial role in user recognition, security, and personalization. Integrating these pictures with devices like laptops and tablets enhances the user experience and adds a layer of authenticity.

The Benefits of Using AD Profile Pictures

Some key benefits of using AD to store user profile images include:

  • Consistency: The picture updates automatically wherever your user profile is viewed across the domain, including Outlook, SharePoint, Teams, etc.
  • Centralized management: Administrators can control profile pictures for all users from one place rather than updating multiple systems individually.
  • Size limit enforcement: AD has a built-in size limit of 100KB for profile pictures to minimize strain on the directory database.
  • Security: Access to view and update profile images can be controlled via AD security permissions and inheritance.
  • Cost-effective: There is no need for a separate storage system since profile pictures are part of the Active Directory database.

Preparing Your New Profile Picture

Before uploading your new profile photo, it helps to prepare the image file properly.

  • Supported formats: JPEG, GIF, BMP, and PNG images are supported. Avoid other formats like TIFF or RAW.
  • Optimal size: The max file size is 100KB for best performance. You can use a picture of 200×200 pixels; however, the recommended size is 96×96.
  • Square aspect ratio: Crop your photo to a square shape rather than a long rectangle.
  • Uniform background: A plain, solid color background looks most professional.
  • Face positioning: Center and size your face appropriately within the frame.
  • Image editing: Use an editing program to touch up lighting, color, brightness, etc. if needed.

Following these best practices will help the new picture integrate smoothly across your organization’s systems.

Uploading Your Picture to Active Directory

Uploading profile pictures to Active Directory can be accomplished through two primary methods: using the “Active Directory Users and Computers” GUI and utilizing PowerShell scripts.

Both methods have their merits, and your choice may depend on your comfort level with scripting and the number of profiles you need to update.

Using Active Directory Users and Computers (ADUC)

  1. Open ADUC: Launch the “Active Directory Users and Computers” console from your server or a computer with the Remote Server Administration Tools (RSAT) installed.
  2. Navigate to User: In the ADUC window, navigate to the Organizational Unit (OU) where the user account resides.
  3. Open Properties: Right-click on the user account and select “Properties.”
  4. Go to ThumbnailPhoto: Navigate to the “Attribute Editor” tab and find the “thumbnailPhoto” attribute.
  5. Edit and Upload: Click on “Edit,” then “Clear” if there’s an existing photo. Use the “Import” button to upload a new photo. The photo should be less than 100 KB for optimal performance.
  6. Apply and OK: Click “Apply” and then “OK” to save the changes.
thumbnailPhoto attribute

Using PowerShell

StepDescriptionPowerShell Code
1Launch PowerShell with administrative rights.N/A
2Import the Active Directory module if it’s not already loaded.Import-Module ActiveDirectory
3Convert your image to a byte array. Make sure the image size is under 100 KB for optimal performance.$photo = [byte[]](Get-Content "C:\path\to\photo.jpg" -Encoding byte)
4Use the Set-ADUser cmdlet to upload the image to the Active Directory user profile.Set-ADUser username -Replace @{thumbnailPhoto=$photo}

If you want to Set up photo for users in batch, a CSV file named photos.csv need to be prepared as following format:

AD_user, path_to_file
User1,C:\Photos\user1.jpg
User2, C:\Photos\user2.jpg
User3, C:\Photos\user3.jpg

Then the PowerShell command should be:

Import-Csv C:\Photos\photos.csv |%{Set-ADUser -Identity $_.AD_user -Replace @{thumbnailPhoto=([byte[]](Get-Content $_.path_to_file -Encoding byte))}}

How to Display Pictures from Active Directory in Windows Clients

After you have uploaded your pictures to AD using the methods mentioned above, it is time to display the pictures in your Windows Clients. The following steps apply to Windows 7, Windows 8, and Windows 10.

Adding Registry Key Permissions Through Group Policy

  1. Create a New GPO: Open the Group Policy Management Console and create a new GPO at the domain level.
  2. Navigate to Registry Settings: Go to Computer Configuration > Windows Settings > Security Settings > Registry.
  3. Add Key: Right-click the Registry entry and click “Add Key.”
  4. Specify Registry Path: Navigate to MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users.
  5. Assign Permissions: Give FULL permission to users.
  6. Update Policy: Close the Group Policy Management Editor and restart the computers to update the Group Policy.

Deploying a Logoff Script Through Group Policy

  1. Edit Existing GPO: Open the Group Policy Management Console and edit the GPO you created earlier.
  2. Navigate to User Scripts: Go to User Configuration > Windows Settings > Scripts.
  3. Add Logoff Script: Double-click the logoff option and click “Add.”
  4. Specify Script Path: Enter the path of the script you’ve prepared and saved as a .ps1 file in a shared folder.
  5. Copy Script: Use the “Show files” option to copy the script to the specified location.
  6. Update Policy: Log off and log in again to update the Group Policy.

Verify the Results

If the policy was applied, you will see the result on the clients where the users will logon to: The photo stored in the thumbnailPhoto attribute would be exported into a specified folder on your machine.

New registry keys will also be created under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users{User SID} in the Windows registry with paths to these photos.

And you will see the photo we configured on the logon image in your windows client or in your client applications.

windows logon picture

Troubleshooting Profile Picture Updates

Here are some common issues and solutions when updating AD user profile images:

  • Slow sync: Give it some time to propagate fully across your systems, often within 60 minutes.
  • Size limit errors: Your source image file may exceed the 100KB AD limit. Try resizing it smaller.
  • Wrong image showing: Double-check that you uploaded the correct photo file.
  • Photo distortion: The aspect ratio might not be set to square. Re-crop the source image.
  • Access denied error: Your user account may lack permission to change the AD profile picture. Request elevated access.
  • Program conflicts: Some apps, like Outlook, may cache old profile images until restarted. Restart to sync.
  • Logon script: verify that the logon script is working properly, and it has access to the network and local paths.

Your domain admin can assist with troubleshooting profile picture change errors if they persist.

Tips for Taking a Good Profile Photo

To get the most out of your new AD user profile picture, follow these photography tips:

  • Get close enough: Frame just your head and shoulders in the shot.
  • Look directly at the camera: This gives you a warm but professional expression.
  • Soft natural lighting: Avoid harsh shadows by facing a window on an overcast day.
  • Solid neutral background: A plain wall works best so you stand out.
  • Avoid busy patterns: Solid colors only to not distract from your face.
  • Shoot multiple options: Take a few so you can select the best of the batch.
  • Dress appropriately: Consider if formal or casual matches your workplace culture.

Taking a few moments to capture a quality headshot will give your AD profile an updated, professional look.

The Bottom Line

Updating your Active Directory user profile picture is quick and simple, following the steps outlined above.

Taking the time to prepare a high-quality headshot and following AD best practices will ensure it looks great everywhere your account appears across the network.

With an engaging professional profile image, you can represent both yourself and your organization well.

Upload your organization’s team pictures to the AD and enjoy the benefits.

Other Topics:

Hector Bravo Tello

Entrepreneur and technology specialist with more than 30 years of tech experience, who blogs on the latest technologies, artificial intelligence tools, project management, security, and more.

Similar Posts