Note: It seems simple at first glance and can be used simply. But if someone wants to know exactly how it works, they're out of luck. Microsoft's description is close to zero.
Many years ago, I described this topic in the article Active Directory - user photos not only for Outlook 2010. Here, mainly the new features when using Exchange Server 2016 are mentioned. Some official (quite insufficient) information Manage access to high-resolution user photos and Configure the use of high-resolution photos in Skype for Business Server.
Photo resolution and location
Thumbnails in AD DS
The user photo (thumbnail) in Active Directory Domain Services (AD DS) is stored in the thumbnailPhoto attribute of the user account object. The file size can be a maximum of 100 kB, but it's recommended to be up to 10 kB (the Import-RecipientDataProperty cmdlet on Exchange 2010 allowed uploading a maximum 10 kB image).
Previously, it was stated everywhere that the recommended resolution is 96 x 96 px. When we use the new (since Exchange 2013) cmdlet Set-UserPhoto, the photo is stored on Exchange, but a thumbnail (thumbnailPhoto) of size 64 x 64 px is also created. According to Microsoft's information for older versions, it appears that on Exchange 2013, only a size of 48 x 48 px was stored.
Photos on Exchange server
Higher resolution photos are stored on the Exchange server in the user's mailbox. Microsoft states (for example, in the description of the Set-UserPhoto cmdlet) that it's stored in the root directory of the user's Exchange mailbox. I tried to find a way to view these stored photos directly in the mailbox, but in vain. I tried, for example, MFCMAPI, but I didn't find any such object.
According to the description, 24-bit JPEG is supported with a maximum resolution of 648 x 648 px and a maximum size of 500 kB. We can use a source file with higher resolution, and the dimensions will be automatically changed during saving.
Various resolutions
Microsoft lists the use of various image resolutions as follows:
- 648 x 648 px - used by Skype for Business or Lync 2013
- 96 x 96 px - used by Outlook from version 2013, OWA or Skype for Business if a better one is not available
- 64 x 64 px (or 48 x 48 px) - used if a better resolution is not available
For example, in the article How user photos are displayed in Lync, it's directly stated that if we had photos with a resolution of 96 x 96 px stored in AD DS, then when uploading an image with higher resolution to Exchange, our thumbnail in AD DS will be overwritten with a worse resolution. This affects, for example, Lync and Outlook 2010 clients.
Note: We'll discuss more about resolution variants later.
Uploading a user photo
The image can be uploaded (or changed or removed) by
- users for themselves using the Outlook on the Web interface (or by an administrator using impersonate), the image is saved on Exchange and in AD DS
- mail administrator for all mailboxes using Exchange Management Shell, the image is saved on Exchange and in AD DS
- domain administrator for all users can write the
thumbnailPhotoattribute using the PowerShell AD module or a special application, it's saved only in AD DS
Inserting an image
Further, we'll focus mainly on Exchange Management Shell (EMS) and cmdlets Set-UserPhoto, Remove-UserPhoto, Get-UserPhoto.
The configuration for uploading a user photo is simple. In the example, we assume that a JPG file is stored on disk D and confirmation is turned off in the command.
Set-UserPhoto -Identity bouska -PictureData ([System.IO.File]::ReadAllBytes("D:\bouska.jpg")) -Confirm:$false
The Set-UserPhoto cmdlet adjusts the size and uploads the image in higher resolution (if the source file is large enough) to the user's mailbox and also creates a thumbnail, which it saves to the user account in AD DS in the thumbnailPhoto attribute. The same happens if the user uploads a photo themselves using Outlook on the Web.
Until now, I have (for many years) used uploading the photo to the attribute thumbnailPhoto with the Set-ADUser cmdlet. This command directly saves binary data to the attribute, without any modifications.
Set-ADUser -Identity bouska -Replace @{thumbnailPhoto=([byte[]](Get-Content D:\bouska2.jpg -Encoding byte))}
Image resizing
As we mentioned, the Set-UserPhoto cmdlet saves a thumbnail of size 64 x 64 px to AD DS. If we want to have thumbnails in 96 x 96 px resolution, we can resize the photo and insert it using the Set-ADUser command above. On the internet, we can find many scripts (of similar principle) on how to resize an image with PowerShell. I mainly dealt with the format and quality of JPG (90% in the example).
Add-Type -AssemblyName System.Drawing
$img = New-Object System.Drawing.Bitmap(96, 96)
([System.Drawing.Graphics]::FromImage($img)).DrawImage([System.Drawing.Image]::FromFile((Get-Item D:\bouska.jpg)), 0, 0, 96, 96)
$jpegCodecInfo = [System.Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() | where {$_.MimeType -eq 'image/jpeg'}
$encoderParams = New-Object System.Drawing.Imaging.EncoderParameters(1)
$encoderParams.Param[0] = New-Object System.Drawing.Imaging.EncoderParameter([System.Drawing.Imaging.Encoder]::Quality, 90)
$img.Save("D:\bouska2.jpg", $jpegCodecInfo, $encoderParams)
$img.Dispose()
Retrieving information
We can see who has content in the thumbnailPhoto attribute, i.e., uploaded photo in AD DS.
Get-ADUser -Filter * -Properties thumbnailphoto | FT Name, thumbnailPhoto
We can try the EMS cmdlet, which returns information about the user photo. In practice, four situations can occur:
- the user doesn't have a mailbox
PS D:\> Get-UserPhoto operator The operation couldn't be performed because object 'operator' couldn't be found on 'dc.firma.local'.
- the user doesn't have any photo (not even in AD DS)
PS D:\> Get-UserPhoto jan.bilek There is no photo stored here..
- the user has a photo uploaded in the thumbnailPhoto attribute
PS D:\> Get-UserPhoto novak
SerializationData : {0, 1, 0, 0...}
Identity : firma.local/Firma/Novák Jan
PictureData : {255, 216, 255, 224...}
Thumbprint :
IsValid : True
ObjectState : New
- the user has a photo set on the Exchange server as well
PS D:\> Get-UserPhoto bouska
SerializationData : {0, 1, 0, 0...}
Identity : firma.local/Firma/Bouška Petr
PictureData : {255, 216, 255, 224...}
Thumbprint : -1379130797
IsValid : True
ObjectState : New
Saving the image to a file
We can save the content of the AD DS thumbnailPhoto attribute to a file, i.e., save the user's photo.
$user = Get-ADUser bouska -Properties thumbnailPhoto $user.thumbnailPhoto | Set-Content D:\bouska.jpg -Encoding byte
If we directly saved an image with a resolution of 96 x 96 px to the attribute, such an image will be downloaded. If we used the Set-UserPhoto cmdlet, the downloaded image has a resolution of 64 x 64 px.
We can also download the image in higher resolution from the Exchange server.
$user = Get-UserPhoto bouska $user.PictureData | Set-Content D:\bouska.jpg -Encoding byte
If the image is only in AD DS, this command will return the image from AD DS. If we uploaded a larger image to Exchange, the image from the Exchange server will be downloaded. But in that case, it always (if it exists) downloads the size 240 x 240 px. I thought this meant that the 648 x 648 px size mentioned by Microsoft isn't used at all. But after further investigation and experiments, I found that apparently a series of different resolutions are stored on the Exchange server (or maybe just the largest possible and resize happens online).
Displaying images in different resolutions
To display a user's photo, we can use Exchange Web Services (EWS), where we specify the user by their email address and set the resolution. Info Get user photos by using EWS in Exchange.
https://mail.firma.cz/ews/Exchange.asmx/s/GetUserPhoto?email=bouska@firma.cz&size=HR648x648
As resolution, we can only use some supported value, otherwise we'll get an error. The supported resolutions are, according to SizeRequested, HR48x48, HR64x64, HR96X96, HR120X120, HR240X240, HR360X360, HR432X432, HR504X504, HR648X648.
Practical tests show that when we upload a photo, it's cropped to a square format and reduced to the nearest lower supported resolution. For example, when we upload a 400 x 531 px photo, it's adjusted to 360 x 360 px. When displaying the image in HR360X360, HR432X432, HR504X504, HR648X648, it always returns a photo with a resolution of 360 x 360 px.
Note: On the Exchange server, there's a folder C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\photos, which is probably a cache.
Blocking user photo changes
By default, every user has the option to change their photo in the Outlook on the Web interface. A link from the Skype for Business application also leads here if we choose Edit Picture. In OWA, the editing is located in Options - General - My Account. Alternatively, we can just click on the profile picture in the upper right corner.
We can prevent image editing in several ways. On the internet, we can find many discussions and articles, such as Prevent Users from Changing Photo in OWA. I find it best to use the Outlook on the Web Mailbox Policy (OwaMailboxPolicy) and the SetPhotoEnabled parameter, Set-OwaMailboxPolicy.
I lived under the impression, and it's stated in many places on the internet, that if no OwaMailboxPolicy is set on the mailbox, the Default policy is automatically applied. However, a practical test immediately shows that this is not the case. Maybe the behavior changed with Exchange 2013. The only official info I found is that for Exchange Online, the default policy is applied to all mailboxes.
We'll work best in the Exchange Management Shell (EMS). The Exchange Admin Center (EAC) doesn't support many things. We can use the Default policy, create a new one, or combine them in various ways.
Listing existing policies OwaMailboxPolicy and values for photos.
PS D:\> Get-OWAMailboxPolicy | FT Name,*Photo* Name DisplayPhotosEnabled SetPhotoEnabled SetPhotoURL ---- -------------------- --------------- ----------- Default True True
Setting a ban on photo editing for all policies.
Get-OWAMailboxPolicy | Set-OWAMailboxPolicy -SetPhotoEnabled $False
Listing which policy a user has set
PS D:\> Get-CASMailbox bouska | FT Name, OWA* Name OwaMailboxPolicy OWAEnabled OWAforDevicesEnabled ---- ---------------- ---------- -------------------- Bouška Petr True True
Listing users who have the Default policy assigned.
Get-CASMailbox | Where-Object { $_.OwaMailboxPolicy -like 'Default' } | FT Name, OWA*
Listing users who don't have a policy assigned.
Get-CASMailbox | Where-Object { $_.OwaMailboxPolicy -eq $null } | FT Name, OWA*
Assigning the Default policy to a specific user.
Set-CASMailbox bouska -OwaMailboxPolicy Default
Assigning the Default policy to all users who don't have any policy assigned.
Get-CASMailbox | Where-Object { $_.OwaMailboxPolicy -eq $null } | Set-CASMailbox -OwaMailboxPolicy Default
There are no comments yet.