Active Directory - user photos not only for Outlook 2010

New description in the article Exchange 2016 and user photos.

User photo in AD

In Active Directory, there are two attributes for storing photos/images. They are called thumbnailPhoto and jpegPhoto. The first is intended for thumbnails (small images), the second for normal images. However, storing larger images in AD should be considered carefully due to the increase in database size. Microsoft has not yet come up with a GUI for editing these attributes, even though Active Directory Users and Computers (ADUC) is an ideal candidate. Fortunately, we have PowerShell available today.

Before the arrival of Windows Server 2008, the only option was to edit the attribute directly (for example through ADSIEdit) and enter the hex data of the image. Of course, it's not a problem to write a simple application (for example in PHP) that edits the attribute using LDAP commands. Another option is to extend ADUC with the ability to edit comfortably in GUI. With the arrival of Windows Server 2008, PowerShell, and the ActiveDirectory module, we have the option to use PowerShell commands.

Outlook 2010 and user photos

With the arrival of Outlook 2010, photos in AD began to be discussed more, because they are finally integrated into the mail. Generally, Outlook 2010 uses a number of personal data and allows connection to various social and communication networks and systems (such as IM or IP telephony).

In all places where user information is displayed (and also in the header and end of the email), their photo can be shown if Outlook has it available. First, Outlook looks at locally stored contacts, if the photo is not there, it can look in Active Directory (of course in a domain environment). The actual mediation of photos is not done by Exchange Server, but Outlook itself communicates with the domain controller. Photos are not included in the Global Address List (GAL) and will not become part of the sent messages. So they will not get outside the company in any way.

As we said, photos are downloaded directly from the domain controller (and Outlook doesn't cache them long-term, so they are downloaded again each time). If we capture ongoing communication, we can see encrypted connections to the DC where the photos are downloaded. Interestingly, when we use Outlook Anywhere (formerly RPC over HTTP), the photos also work and are downloaded through that encrypted connection with the Exchange server (I don't know how it works).

The user's photo is searched for in the thumbnailPhoto attribute for the given user. As we said, this has been here since Windows Server 2000, but if you don't have a Windows Server 2008 domain, the photos won't work for you. Because the value of the mAPIID attribute is first verified, which must be 35998, which is the case for AD Windows Server 2008 (at least that's what I found on the internet).

If we have Exchange Server 2010, we also have a new PowerShell command Import-RecipientDataProperty available for inserting photos. But as we'll see later, it doesn't bring anything new compared to the standard command from the ActiveDirectory module. Yet from discussions on the internet, it seems to me that even people from the MS Exchange Server team don't know this simple method.

Import-RecipientDataProperty -Identity Ayla -Picture -FileData ([Byte[]]$(Get-Content -Path "M:\Employee Photos\AylaKol.jpg" -Encoding Byte -ReadCount 0))

The thumbnailPhoto attribute is not normally replicated to the Global Catalog (GC) and all internet guides state that this needs to be changed (using the Active Directory Schema snap-in). In practice, I verified that it's not necessary, but probably only if we have just one domain. It's also stated that if we don't have Exchange 2010 and use Cached Exchange mode in Outlook, the images won't work for us. Reportedly, only Exchange 2010 extends GAL with links to photos in AD. I use Exchange Server 2007, Outlook 2010, Cached Exchange mode and everything works for me.

One more interesting note on this topic. Outlook 2010 also contains a one-way data synchronization function from Exchange GAL to contacts. It only works for already existing records in contacts and compares the SMTP address. So we can create a local contact with only the email address entered and other data, including the photo, will synchronize for us from Active Directory.

Image parameters for thumbnailPhoto

The image we want to insert into the thumbnailPhoto attribute must meet several conditions (although it's often said that it should meet them). The image format must be JPG (GIF is mentioned somewhere, I haven't tested it). Its size is important, which must not exceed 10 kB. And the recommended dimensions of the image are 96 x 96px.

Editing thumbnailPhoto using ADUC extension

We can write our own extension for Active Directory Users and Computers to edit user photos (there are many guides on the internet), but since Oli Dewdney wrote a functional library, we can use that. It can be downloaded from www.dewdney.co.uk/adext/adext.zip, where the zip contains the library itself and instructions on how to register it. I tested the library under Windows 7 64 bit and it works correctly and comfortably. It also does the work of resizing and cropping the inserted image to the required dimensions (which may not always look best). The image editing is then found on a new tab in the user properties. So everything is comfortable, clear, and functional. The only problem is when we want to edit a large number of users at the beginning, a script is more suitable for that.

Editing thumbnailPhoto using PowerShell

I don't have Exchange Server 2010 deployed, so I was looking to see if there was another convenient way to insert images, especially in batch mode. I found several discussions and seemingly complex procedures on how to use PowerShell, until I came across an excellent, simple method described in the article How To: Use AD PowerShell to Manage Outlook 2010 User Photos with Previous Versions of Exchange.

Two simple commands are used and everything works. The first one loads the image from a file into a variable and the second inserts it into the appropriate attribute. However, the image size is not checked, etc., so we have to prepare them in advance.

$photo = [byte[]](Get-Content c:\bouska.jpg -Encoding byte)
Set-ADUser bouska -Replace @{thumbnailPhoto=$photo}

Similarly, we can also save the user's image to a file.

$user = Get-ADUser bouska -Properties thumbnailphoto
$user.thumbnailphoto | Set-Content c:\bouska.jpg -Encoding byte

Editing thumbnailPhoto using PHP

Just as a brief outline of possibilities, I'll give an example of code that displays a photo from the user's thumbnailPhoto attribute. Writing the attribute is similar. I described a short introduction to using LDAP under PHP in the article How to use LDAP and LDAPS in PHP under Windows.

<?php
function showPictures($user) {
  if($connect = @ldap_connect("ldaps://IP_of_domain_controller")){
    ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
    if($bind = @ldap_bind($connect, "CN=User,OU=Users,DC=company,DC=local", "password")){
      $sr=ldap_search($connect, "OU=Users,DC=company,DC=local", "(sAMAccountName={$user})");                                
      $entry = ldap_first_entry($connect, $sr);
      $info = ldap_get_values_len($connect, $entry, "thumbnailPhoto");
      echo $info[0];          
      @ldap_close($connect);
      return(true);
    }
  }
  @ldap_close($connect);
  return(false);
}
Header("Content-type: image/jpeg");
Header("Content-disposition: inline; filename=jpeg_photo.jpg");
showPictures($_GET["user"]);
?>