Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Active Directory / How to Use AD Photo as User Profile Picture in Windows 10?

October 22, 2019 Active DirectoryGroup PoliciesWindows 10Windows Server 2016

How to Use AD Photo as User Profile Picture in Windows 10?

Outlook, SharePoint, Skype for Business, Office365 and other Microsoft apps allow you to use an Active Directory (or Azure AD) photo of the currently logged-in user as a user avatar in their interface. In this article, we will show you how to use the Group Policy and PowerShell script to set the user photo from Active Directory as a user profile picture (avatar) in Windows 10 ( Windows profile picture is displayed on the Lock Screen, Welcome Screen, in the Start Menu, etc).

Our script will work as follows: when a user logs on to the Windows 10, a PowerShell script must be run; it  gets the user’s photo from the thumbnailPhoto user attribute in Active Directory, saves the image file to a local drive and sets this file as the user account picture in the current profile. The solution should work on all supported clients: Windows 10, 8.1, 7 and on RDS hosts running Windows Server 2016/2012 R2.

Contents:
  • How to Set Photo for an Active Directory User?
  • Providing Permissions to Users to Change Profile Picture in Windows
  • PowerShell Script to Get the AD User’s Photo and Set the User Profile Picture in Windows 10
  • Running PowerShell Script to Bind Photos to a Profile Using GPO

How to Set Photo for an Active Directory User?

First of all, set photos for AD users by uploading image files to a special user’s attribute thumbnailPhoto. You can set user photos by using third-party tools, or using the ActiveDirectory module for Windows PowerShell. Please note that the maximum avatar image file size must not exceed 100 Kb with the image resolution up to 96 × 96 pixels. You can set the AD account image for a user jchan as follows:

$photo = [byte[]](Get-Content C:\PS\jchan_photo.jpg -Encoding byte)
Set-ADUser jchan -Replace @{thumbnailPhoto=$photo}

windows account picture from ad thumbnailPhoto

We have considered in detail how to manage AD user photos using PowerShell in the article How to Import User Photo to Active Directory.

Providing Permissions to Users to Change Profile Picture in Windows

In Windows 10 you can set the user account profile picture through the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users. However, non-admin users don’t have the necessary permissions to add values to this registry key. To allow users without administrator privileges to change the profile picture, you must grant them write permissions to this registry key.

It is easier to deploy the registry key permissions in AD domain using GPO:

  1. To do this, run the Group Policy Management console (gpmc.msc), create a new policy and link it to the OU with users’ computers;
  2. Then in the GPO editor go to the following section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Registry and add a new registry key (Add key) with the path MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users;AccountPicture registry key via GPO
  3. Then, in the Security tab, check the Full Control permissions for all domain users ( [DomainName]\Users) and click OK;
  4. In the next window, select the option Replace existing permission on all sub keys with inheritable permissions, otherwise users won’t have any privileges for the nested registry subkeys.setting registry permissions via GPO

PowerShell Script to Get the AD User’s Photo and Set the User Profile Picture in Windows 10

Then we need to run a PowerShell script that should get a photo of the current user from Active Directory, save it in a jpg file and set it as a Windows user profile picture. There are two ways to get user photo from AD. You can use the Get-ADUser cmdlet from the ActiveDirectory module (this module must be installed on all computers via RSAT, or you can just copy the necessary RSAT-AD-PowerShell module files without installing RSAT). Since the script has to be universal and work in Windows 7 as well, we won’t use the RSAT-AD-PowerShell module, but we will access AD through the ADSISearcher C# class.

An example of the SetADPicture.ps1 script to get a user’s photo from AD and set it as a Windows account avatar picture is given below:

[CmdletBinding(SupportsShouldProcess=$true)]Param()
function Test-Null($InputObject) { return !([bool]$InputObject) }
$ADuser = ([ADSISearcher]"(&(objectCategory=User)(SAMAccountName=$env:username))").FindOne().Properties
$ADuser_photo = $ADuser.thumbnailphoto
$ADuser_sid = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value
If ((Test-Null $ADuser_photo) -eq $false) {
$img_sizes = @(32, 40, 48, 96, 192, 200, 240, 448)
$img_mask = "Image{0}.jpg"
$img_base = "C:\Users\Public\AccountPictures"
$reg_base = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\{0}"
$reg_key = [string]::format($reg_base, $ADuser_sid)
$reg_value_mask = "Image{0}"
If ((Test-Path -Path $reg_key) -eq $false) { New-Item -Path $reg_key }
Try {
ForEach ($size in $img_sizes) {
$dir = $img_base + "\" + $ADuser_sid
If ((Test-Path -Path $dir) -eq $false) { $(mkdir $dir).Attributes = "Hidden" }
$file_name = ([string]::format($img_mask, $size))
$path = $dir + "\" + $file_name
Write-Verbose " saving: $file_name"
$ADuser_photo | Set-Content -Path $path -Encoding Byte -Force
$name = [string]::format($reg_value_mask, $size)
$value = New-ItemProperty -Path $reg_key -Name $name -Value $path -Force
}
}
Catch {
Write-Error "Check permissions to files or registry."
}
}

The script gets the value of thumbnailphoto attribute of the current AD user and saves it to the local folder C:\Users\Public\AccountPictures\{User SID}. The folder will contain files with picture file with different resolutions (from 32×32 to 448×448 pixels) for different Windows 10 interface elements: image32.jpg, image40.jpg, etc.

ProgramData AccountPictures

The binding of photos to the user profile is performed via the parameter in the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\{User_SID}.

AccountPicture

Running PowerShell Script to Bind Photos to a Profile Using GPO

Now we want to run the SetADPicture.ps1 script when a user logon to Windows. It is easier to do it using a GPO logon script.

To do it, in the previously created policy in the section User Configuration -> Policies -> Windows Settings -> Scripts (Logon/Logoff) create a new PowerShell logon script:

  • The script name: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe
  • The script parameters: -Noninteractive -ExecutionPolicy Bypass -Noprofile -File %logonserver%\netlogon\script\SetADPicture.ps1

run powershell script via gpo

Important. The SetADPicture.ps1 script must be previously copied to the netlogon\script\ folder on the domain controller.

In the policy settings, enable the GPO loopback processing mode (Computer Configuration -> Administrative Templates -> System -> Group Policy -> Configure user Group Policy Loopback Processing mode = Merge). In this mode, you can apply the policy to OU with user accounts.gpo - enable loopback processing mode

You just have to link the policy to the specific OUs, log off and log in to the Windows again.

To diagnose GPO on target computers, use the gpresult tool and the article “Group Policy not applying”.

window 10 account picture from active directory

An avatar will be assigned to the Windows 10 user profile, and it will be correctly displayed as an account picture in the Start menu, on the Welcome Screen and other places after the next logon. This profile photo assignment guide has been tested on Windows 10 LTSC (1809).

2 comments
0
Facebook Twitter Google + Pinterest
previous post
Fix: Saved RDP Credentials Didn’t Work in Windows
next post
Vembu BDR Suite Free Edition: Unlimited Features 10 VMs

Related Reading

The Disk is Offline Because of Policy Set...

December 12, 2019

How to Backup Hyper-V Virtual Machines?

December 10, 2019

How to Change a Network Location from Public...

December 9, 2019

Configuring Storage Replica on Windows Server 2016

December 4, 2019

Windows 10 Install Error 0x80300024

December 2, 2019

2 comments

Huiwoo November 3, 2017 - 8:26 am

Hi I tried all your steps it works on Windows server 2016 but the picture doesnt show on Windows 7 client

Please advise

Reply
JamD November 17, 2017 - 5:07 am

You can setup picture from AD on Windows 7 client with the help of tool https://adusertile.codeplex.com/

“Project Description

When you deploy user pictures in AD, using thumbnailPhoto atribute, and visible in Lync or Exchange address book, they are not by default set on User Tile in logon screen or explorer of Windows 7 or Windows Vista.
This program runs as GPO startup script, and sets user tile from Active Directory”

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Follow us

woshub.com

Recent Posts

  • VMWare: How to Find VMs by IP or MAC Address?

    December 13, 2019
  • The Disk is Offline Because of Policy Set by an Administrator

    December 12, 2019
  • How to Backup Hyper-V Virtual Machines?

    December 10, 2019
  • How to Change a Network Location from Public to Private on Windows 10/Windows Server 2016?

    December 9, 2019
  • Configuring Storage Replica on Windows Server 2016

    December 4, 2019
  • Windows 10 Install Error 0x80300024

    December 2, 2019
  • Running PowerShell Script (*.PS1) as a Windows Service

    November 27, 2019
  • Creating Multiple Partitions on a USB Drive in Windows 10

    November 26, 2019
  • VMWare vSphere: Failed to Upload Files to Datastore

    November 21, 2019
  • How to Delete Old User Profiles Using GPO and PowerShell?

    November 19, 2019
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Allow non-administrators RDP Access to Domain Controller
  • Get-ADUser: Getting Active Directory Users Info via Powershell
  • Get-ADComputer: Find Computer Details in Active Directory with PowerShell
  • Finding the Source of Account Lockouts in Active Directory domain
  • Changing Desktop Background Wallpaper in Windows through GPO
  • Restricting Group Policy with WMI Filtering
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top