Posted on November 18, 2016 · Posted in Active Directory, Powershell

How to Import User Photo to Active Directory Using PowerShell

Among user attributes starting from the version of Active Directory schema in Windows Server 2000, there is a special attribute thumbnailPhoto, in which a user photo (or any other images) can be stored as binary data. Outlook since 2010, Lync, SharePoint (and other applications) can use the data contained in this attribute to display user photo in their interface. Also, these photos can be used as Windows user account picture.

Let’s consider some simple scenarios of importing user photos to Active Directory and exporting a user’s thumbnail photo from AD to a JPG file on local disk.

The main aspects and restrictions of using user photos in AD:

  • The maximum size of thumbnailPhoto user attribute, in which the imported photo is stored, is 100 KB. However, there is a general recommendation of using a graphic file up to 10 KB and 96×96 pixels in size as user photo in AD
  • To display a photo in Outlook 2010 or higher, AD schema at least version 2008 is required
  • If there are a lot of user photos in AD, there can be some replication problems due to the growth of NTDS.DIT database
  • The users can change their photo in AD. If you need to delegate the opportunity to import photos to other users (e. g., HR department),  you need provide “Write thumbnailPhoto”  permission to the specific OU in AD

How to Import User Photo to AD Using PowerShell

To import a user photo to Active Directory using PowerShell, you need to import module  Active Directory Module for Windows Powershell and use Set-ADUser cmdlet to update thumbnailPhoto attribute and uploading the graphic file contents as its value.

Import-Module ActiveDirectory
$photo = [byte[]](Get-Content C:\PS\jkuznetsov_photo.jpg -Encoding byte)
Set-ADUser jkuznetsov -Replace @{thumbnailPhoto=$photo}

The same in one string:
Set-ADUser jkuznetsov -Replace @{thumbnailPhoto=([byte[]](Get-Content "C:\ps\jkuznetsov_photo.jpg" -Encoding byte))}

import user photo to ad

After these commands have been executed, the user photo stored in Active Directory database (it may take some time till the end of replication and GAL update) appears in Outlook, Lync, OWA, etc. clients.

thumbnailPhoto attribute in Active Directory

How to Import AD User Photo Using Exchange Shell

Exchange Management Shell supports the same feature of importing AD user photos. To do it, you can use Import-RecipientDataProperty cmdlet.

Note. Import-RecipientDataProperty cmdlet in Exchange 2010 doesn’t allow to import an image of more than 10 KB.

The command to update a photo of the user jkuznetsovwill look like this:

Import-RecipientDataProperty -Identity “jkuznetsov” -Picture -FileData ([Byte[]] $(Get-Content -Path “C:\PS\jkuznetsov_photo.jpg” -Encoding Byte -ReadCount 0))

Bulk Import pictures to AD

To import a package of images to Active Directory for a number of users at a time, we’ll need a CSV file containing the list of accounts and the corresponding photos. The format of  import.csv may be as follows:

AD_username, Photo
asmith, C:\PS\asmith.jpg, C:\PS\klinton.jpg
jkuznetsov, C:\PS\jkuznetso.png

The next command import the list of users from the CSV file and update their photos in AD:

Import-Csv C:\PS\import.csv |%{Set-ADUser -Identity $_.AD_username -Replace @{thumbnailPhoto=([byte[]](Get-Content $_.Photo -Encoding byte))}}

How to Export a User Photo from Active Directory to a JPG File

You can save an AD user photo to a graphic file. To do it, select the user using Get-ADUser:
$ADuser = Get-ADUser jkuznetsov-Properties thumbnailPhoto

And save the contents of thumbnailPhoto attribute as a JPG file:

$ADuser.thumbnailPhoto | Set-Content jkuznetsov.jpg -Encoding byte

With the following script, export photos of all users of the specific OU to a file:

Import-Module ActiveDirectory
$ADusers= Get-ADUser -Filter * -SearchBase "OU=Users,OU=Paris,DC=woshub,DC=com" -Properties thumbnailPhoto | ? {$_.thumbnailPhoto}
foreach ($ADuser in $ADusers) {
$name = $ADuser.SamAccountName + ".jpg"
$ADuser.thumbnailPhoto | Set-Content $name -Encoding byte

And finally, there are some useful queries. The first one allows to select all users having a photo in their thumbnailPhoto AD attribute

Get-ADUser -Filter * -properties thumbnailPhoto | ? {$_.thumbnailPhoto} | select Name

The second allows to select users without a photo:

Get-ADUser -Filter * -properties thumbnailPhoto | ? {(-not($_.thumbnailPhoto))} | select Name

There are a number of third-party tools that allow to set photos to AD users in more convenient graphic editors. But as a rule, functionality is redundant, and there are certain risks of using third-party software to edit AD. The more, you can easily make all the changes using PowerShell.

Related Articles