Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Active Directory / How to Set Windows User Account Picture From Active Directory

November 30, 2016 Active DirectoryWindows 10

How to Set Windows User Account Picture From Active Directory

In this article we’ll show how to get a user photo from Active Directory and use it as user account picture in Windows  (displayed on logon and the lock screen, in the start menu, etc.) The algorithm should work as follows: during user logon, the system must receive a user image from thumbnailPhoto attribute in Active Directory, save it on the disk and set as user account picture. The solution should work on all supported clients: Windows 10, Windows 8 and Windows 7.

Contents:
  • Import User Photo to Active Directory
  • Providing Permissions to Users to Change Profile Picture
  • Script of Getting a User Photo from AD and Setting an Account Picture
  • Running PowerShell Script Using GPO

Import User Photo to Active Directory

So, first of all, set photos of all AD users by populating a special attribute thumbnailPhoto  for every user. We have considered in detail how to do it using PowerShell scripts in the article How to Import User Photo to Active Directory.

windows account picture from ad thumbnailPhoto

Providing Permissions to Users to Change Profile Picture

To let users without administrator privileges make changes to the registry branch, in which the path to user profile picture is set, you need to give them permissions  to edit the following key of the registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users.

It is easier to do it using GPO. Create a new policy and link it to the OU containing user computers.

Then go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Registry and add a new key (Add key) with the path MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users

AccountPicture registry key via GPO

Then, in the Security tab, check Full Control for all domain users ( [DomainName]\Users) and click OK. In the next window, select Replace Existing permission on all sub keys with inheritable permissions, otherwise users won’t have any privileges for the subkeys.

setting registry permissions via GPO

Script of Getting a User Photo from AD and Setting an Account Picture

Then we need a script, which would export the photo of the current user from Active Directory, save it as a JPG file and set it as the user account  picture. Since the script has to be universal and work in Windows 7 as well, we cannot use Get-ADUser cmdlet from ActiveDirectory module. It is possible to  query AD using ADSISearcher type.

A sample of SetADPicture.ps1 script is given below:

[CmdletBinding(SupportsShouldProcess=$true)]Param()
function Test-Null($InputObject) { return !([bool]$InputObject) }
$ADuser = ([ADSISearcher]"(&(objectCategory=User)(SAMAccountName=$env:username))").FindOne().Properties
$ADuser_photo = $ADuser.thumbnailphoto
$ADuser_sid = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value
If ((Test-Null $ADuser_photo) -eq $false) {
$img_sizes = @(32, 40, 48, 96, 192, 200, 240, 448)
$img_mask = "Image{0}.jpg"
$img_base = "C:\ProgramData\AccountPictures"
$reg_base = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\{0}"
$reg_key = [string]::format($reg_base, $ADuser_sid)
$reg_value_mask = "Image{0}"
If ((Test-Path -Path $reg_key) -eq $false) { New-Item -Path $reg_key }
Try {
ForEach ($size in $img_sizes) {
$dir = $img_base + "\" + $ADuser_sid
If ((Test-Path -Path $dir) -eq $false) { $(mkdir $dir).Attributes = "Hidden" }
$file_name = ([string]::format($img_mask, $size))
$path = $dir + "\" + $file_name
Write-Verbose " saving: $file_name"
$ADuser_photo | Set-Content -Path $path -Encoding Byte -Force
$name = [string]::format($reg_value_mask, $size)
$value = New-ItemProperty -Path $reg_key -Name $name -Value $path -Force
}
}
Catch {
Write-Error "Check permissions to files or registry."
}
}

The script gets the value of thumbnailphoto attribute of the current AD user and saves it to C:\ProgramData\AccountPictures\{User SID}. The folder will contain files with pictures to suit different formats: image32.jpg, image40.jpg, etc.

ProgramData AccountPictures

The registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\{User_SID} contains a bind image file with account pictures.

AccountPicture

Running PowerShell Script Using GPO

Now we want SetADPicture.ps1 to run during user logon. It is easier to do it using a logon script of the GPO.

To do it, in User Configuration -> Policiles -> Windows Settings ->Scripts (Logon/Logoff) create a new logon policy running PowerShell script:

The script name: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe

The script parameters: -Noninteractive -ExecutionPolicy Bypass -Noprofile -File %logonserver%\netlogon\script\SetADPicture.ps1

run powershell script via gpo

Important. In advance, copy SetADPicture.ps1 to netlogon\script\ folder on the domain controller.

You just have to link the policy to the specific OUs, log off and login to the Windows again.

window 10 account picture from active directory

An avatar will be assigned to the user, and it will be correctly displayed as an account picture of the Windows user after the next logon.

3 comments
0
Facebook Twitter Google + Pinterest
previous post
Recovering Encrypted Files from VSS Snapshot after Ransomware Infection
next post
Checking TCP Port Response Using PowerShell

Related Reading

How to Disable “Open File Security Warnings” in...

April 18, 2018

Cannot Access SMB Network Shares after Windows 10...

April 12, 2018

How to Clear Pagefile.sys at Shutdown in Windows...

April 10, 2018

Searching AD Groups and Users using Wildcards

April 5, 2018

Securing Administrative (Priveleged) Accounts in Active Directory

March 27, 2018

3 comments

Huiwoo November 3, 2017 - 8:26 am

Hi I tried all your steps it works on Windows server 2016 but the picture doesnt show on Windows 7 client

Please advise

Reply
JamD November 17, 2017 - 5:07 am

You can setup picture from AD on Windows 7 client with the help of tool https://adusertile.codeplex.com/

“Project Description

When you deploy user pictures in AD, using thumbnailPhoto atribute, and visible in Lync or Exchange address book, they are not by default set on User Tile in logon screen or explorer of Windows 7 or Windows Vista.
This program runs as GPO startup script, and sets user tile from Active Directory”

Reply
How to use Active Directory user photos in Windows 10 - Exchange & Office 365 Admin's Blog December 28, 2017 - 2:15 pm

[…] script that we’re going to use was found on this site. You can adjust this code to your needs, or just copy it as it is and paste it into an empty text […]

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • Installing a Let’s Encrypt Free SSL Certificate on IIS in Windows Server 2012 R2

    April 19, 2018
  • How to Disable “Open File Security Warnings” in Windows 10, 8 and 7

    April 18, 2018
  • Outlook 2016: Manual Setup Exchange Account

    April 16, 2018
  • Cannot Access SMB Network Shares after Windows 10 1709 Upgrade

    April 12, 2018
  • Installing KMS Server on Windows Server 2012 R2

    April 11, 2018
  • How to Clear Pagefile.sys at Shutdown in Windows 10 / 8 / 7

    April 10, 2018
  • Searching AD Groups and Users using Wildcards

    April 5, 2018
  • How to access VMFS Datastore from Linux, Windows and ESXi

    April 3, 2018
  • SMB 1.0 Support in Windows Server 2012 R2 / Windows Server 2016

    April 2, 2018
  • Securing Administrative (Priveleged) Accounts in Active Directory

    March 27, 2018
woshub.com

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Get-ADComputer: Getting Active Directory Computers Info via Powershell
  • How Automatically Fill Computer Description Field in Active Directory
  • Auditing Users Password Strength in AD
  • How to Import User Photo to Active Directory Using PowerShell
  • How to Refresh AD Groups Membership Without User Logoff
  • Configuring Network Devices Authentication using Active Directory
  • How to Find Blocked, Disabled or Inactive Objects in AD Using Search-ADAccount
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top