Active Directory user accounts have a special thumbnailPhoto attribute in which a user’s photo can be stored as binary data. Outlook, OWA, Lync/Skype for Business, SharePoint (and other apps) can use the photo stored in this AD attribute as the user’s avatar in their interface. In addition, these photos can be used as Windows user account picture.
In this article, we will show you how to add (upload) a user’s photo to Active Directory using PowerShell, OWA or the Active Directory Users and Computers snap-in, as well as how to save (export) the thumbnailPhoto attribute value to a jpeg file.
- ThumbnailPhoto Attribute in Active Directory
- How to Add/Update a User Photo in AD Using PowerShell?
- User Photos Management in Exchange and Outlook Web Access
- How to Import User Photos to AD in Bulk with PowerShell?
- How to Export a User Photo from Active Directory to a JPG File?
- Adding a Photo Tab to the Active Directory Users & Computers Console
ThumbnailPhoto Attribute in Active Directory
The main aspects and restrictions of using user photos in AD:
- The maximum photo size in the thumbnailPhoto attribute of the user object is 100 KB. However, there is a general recommendation to use a graphic JPEG/BMP file format up to 10 KB and 96×96 pixels in size as user’s photo in AD;
- To display a photo in Outlook 2010 or newer, at least a version of the Windows Server 2008 Active Directory schema is required;
- If there are a lot of user photos in Active Directory, the replication traffic between domain controllers increases due to the growth of the NTDS.DIT file (AD database);
- Users can change their own photo in AD. If you need to delegate the ability to upload photos to other users (e. g., HR department), you need to use the AD delegation wizard to grant the group the “Write thumbnailPhoto” permission to the OU with user accounts.
How to Add/Update a User Photo in AD Using PowerShell?
To add (upload) a user photo to Active Directory using PowerShell, you need to use the Active Directory Module for Windows PowerShell (which is part of the RSAT administration tools). First, you need to convert the image file to a byte array, and then use the Set-ADUser cmdlet to set it as the value of the thumbnailPhoto attribute.
Import-Module ActiveDirectory
$photo = [byte[]](Get-Content C:\PS\jkuznetsov_photo.jpg -Encoding byte)
Set-ADUser jkuznetsov -Replace @{thumbnailPhoto=$photo}
The same thing in PowerShell one-liner:
Set-ADUser jkuznetsov -Replace @{thumbnailPhoto=([byte[]](Get-Content "C:\ps\jkuznetsov_photo.jpg" -Encoding byte))}
After these commands have been executed, the user photo stored in Active Directory database will be displayed in Outlook, Lync/Skype, OWA, etc. (it may take some time till the end of AD replication and GAL update).
You can open the user’s properties in the Active Directory Users and Computers (ADUC) console, go to the Attribute Editor tab, and make sure the thumbnailPhoto attribute now contains a value.
User Photos Management in Exchange and Outlook Web Access
Exchange Management Shell supports the same feature of importing AD user photos. To do it, you can use Import-RecipientDataProperty cmdlet.
The EMS command to update a photo of the user jkuznetsov will look like this:
Import-RecipientDataProperty -Identity “jkuznetsov” -Picture -FileData ([Byte[]] $(Get-Content -Path “C:\PS\jkuznetsov_photo.jpg” -Encoding Byte -ReadCount 0))
EMS in Exchange 2013/2016 uses another cmdlet to manage user photos – Set-UserPhoto. The following commands are used to add a user’s photo in these versions of Exchange:
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
$usrphotofile = ([Byte[]] $(Get-Content -Path "C:\PS\jkuznetsov_photo.jpg" -Encoding Byte -ReadCount 0))
Set-UserPhoto -Identity jkuznetsov -PictureData $usrphotofile -Confirm:$False
Set-UserPhoto -Identity jkuznetsov -Save -Confirm:$False
Remove-UserPhoto -Identity jkuznetsov
Users can also change their profile photo themselves through Outlook Web Access (OWA). Click on your account in the upper right corner, select Edit information -> photo -> click the change button and specify the path to the jpeg file with the user photo.
How to Import User Photos to AD in Bulk with PowerShell?
You can bulk upload and manage users’ photos to Active Directory with PowerShell. Create a CSV file that contains a list of user accounts and the corresponding photo filenames. You can use the coma-separeted format of the import.csv file:
AD_username, Photo asmith, C:\PS\asmith.jpg klinton@adatum.com, C:\PS\klinton.jpg jkuznetsov, C:\PS\jkuznetsov.png
The following PowerShell one-liner command will get the list of users from a CSV file and update (upload) their photos to Active Directory:
Import-Csv C:\PS\import.csv |%{Set-ADUser -Identity $_.AD_username -Replace @{thumbnailPhoto=([byte[]](Get-Content $_.Photo -Encoding byte))}}
How to Export a User Photo from Active Directory to a JPG File?
You can save an AD user photo to a graphic file. To do it, select the user using the Get-ADUser cmdlet:
$ADuser = Get-ADUser jkuznetsov-Properties thumbnailPhoto
And save the contents of thumbnailPhoto attribute to a JPG file:
$ADuser.thumbnailPhoto | Set-Content c:\PS\jkuznetsov.jpg -Encoding byte
Using the following PowerShell script, you can export photos of all users from a specific container (OU) to files:
Import-Module ActiveDirectory
$ADusers= Get-ADUser -Filter * -SearchBase "OU=Users,OU=Paris,DC=woshub,DC=com" -Properties thumbnailPhoto | ? {$_.thumbnailPhoto}
foreach ($ADuser in $ADusers) {
$name = $ADuser.SamAccountName + ".jpg"
$ADuser.thumbnailPhoto | Set-Content $name -Encoding byte
}
And finally, there are some useful queries. The first one allows to select all users having a photo in the thumbnailPhoto AD attribute:
Get-ADUser -Filter * -properties thumbnailPhoto | ? {$_.thumbnailPhoto} | select Name
The second allows you to find users without a photo:
Get-ADUser -Filter * -properties thumbnailPhoto | ? {(-not($_.thumbnailPhoto))} | select Name
Adding a Photo Tab to the Active Directory Users & Computers Console
If you don’t like PowerShell, you can use the graphical (GUI) tools to manage photos of Active Directory users.
I most often suggest using the small library AdExt.dll, which adds a separate tab for adding a photo directly to the ADUC console.
You can download the AdExt.dll library here — AdExt-dll-ADUC.zip
To install the library, run the elevated command prompt and go to the directory with the .Net Framework binaries:
- For x86 Windows:
cd %WinDir%\Microsoft.NET\Framework\v2.0.50727 - For x64 Windows:
cd %WinDir%\Microsoft.NET\Framework64\v4.0.30319
Install the library with the command:
InstallUtil.exe c:\ps\ad\AdExt.dll
Restart the ADUC (dsa.msc) console, then open the properties of any user. Please note that a new Photo tab has appeared, where you can add or remove a user’s photo.
InstallUtil.exe /u c:\ps\ad\AdExt.dll
There are two sections on the Photo tab:
- When uploading a photo via the thumbnailPhoto attribute, the photo is automatically reduced to a resolution of 96×96, and the quality is selected so that the size is no more than 10 Kb.
- If you upload a picture via jpegPhoto, then the image quality is changed so that the photo size is less than 100 Kb.
14 comments
Well articulated.
Thank you for sharing this informative post.
By the way, one can also checkout this free Lepide AD bulk image editor tool which helps to manage such AD tasks without having any interruption.
great!
so, if I need change a hundred users, how can I do it?
Read section “Bulk Import pictures to AD”.
You need to prepare a csv file with two columns: login AD user and path to jpg file with photo
Than you can set up photo for this list of users using one command:
Import-Csv C:\PS\import.csv |%{Set-ADUser -Identity $_.AD_username -Replace @{thumbnailPhoto=([byte[]](Get-Content $_.Photo -Encoding byte))}}
Be advised, copycat sighted:
_https://techedge.nl/2017/12/10/how-to-import-user-photo-to-active-directory-using-powershell/
Thanks for the info, but there is no legal means to protect against such a copycatting 🙁
Hi, I know this is an old post but really appreciate the info.
What AD permissions are minimum to allow this photo change? I don’t want the person doing the work to be a domain admin for example.
Thanks
For a non-admin user to be able to modify the photos of other users in AD, you must delegate the Write thumbnailPhoto permission . (Check the property-specific checkboxes “Read thumbnailPhoto” and “Write thumbnailPhoto” on the Permissions of the AD delegation wizard)
In newer and current version of PS ‘-Encoding byte’ is not valid anymore. So, unfortunately, this script won’t run.
Doesn’t want to work for me. I’m installing on Windows 10 21H1 using an elevated cmd.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>InstallUtil.exe c:\ps\ad\AdExt.dll
Microsoft (R) .NET Framework Installation utility Version 4.8.4084.0
Copyright (C) Microsoft Corporation. All rights reserved.
Exception occurred while initializing the installation:
System.IO.FileLoadException: Could not load file or assembly ‘file:///c:\ps\ad\AdExt.dll’ or one of its dependencies. Operation is not supported. (Exception from HRESULT: 0x80131515).
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>
Mine Installed with no errors but the Tab is not showing. I am also showing the Advanced features under ADUC. My ADUC is a feature on demand version, not sure if that matters for this or not.
thank you very much 😡
that was supposed to be a kiss face not an angry face lol
For PS6 and above, replace ‘-Encoding byte’ with ‘-AsByteStream’
We use an application called Actrive Directory Photos, by CodeTwo. It is free and works great. I have been using it for several years now.