Posted on November 30, 2016 · Posted in Active Directory, Windows 10

How to Set Windows User Account Picture From Active Directory

In this article we’ll show how to get a user photo from Active Directory and use it as user account picture in Windows  (displayed on logon and the lock screen, in the start menu, etc.) The algorithm should work as follows: during user logon, the system must receive a user image from thumbnailPhoto attribute in Active Directory, save it on the disk and set as user account picture. The solution should work on all supported clients: Windows 10, Windows 8 and Windows 7.

Import User Photo to Active Directory

So, first of all, set photos of all AD users by populating a special attribute thumbnailPhoto  for every user. We have considered in detail how to do it using PowerShell scripts in the article How to Import User Photo to Active Directory.

windows account picture from ad thumbnailPhoto

Providing Permissions to Users to Change Profile Picture

To let users without administrator privileges make changes to the registry branch, in which the path to user profile picture is set, you need to give them permissions  to edit the following key of the registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users.

It is easier to do it using GPO. Create a new policy and link it to the OU containing user computers.

Then go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Registry and add a new key (Add key) with the path MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users

AccountPicture registry key via GPO

Then, in the Security tab, check Full Control for all domain users ( [DomainName]\Users) and click OK. In the next window, select Replace Existing permission on all sub keys with inheritable permissions, otherwise users won’t have any privileges for the subkeys.

setting registry permissions via GPO

Script of Getting a User Photo from AD and Setting an Account Picture

Then we need a script, which would export the photo of the current user from Active Directory, save it as a JPG file and set it as the user account  picture. Since the script has to be universal and work in Windows 7 as well, we cannot use Get-ADUser cmdlet from ActiveDirectory module. It is possible to  query AD using ADSISearcher type.

A sample of SetADPicture.ps1 script is given below:

[CmdletBinding(SupportsShouldProcess=$true)]Param()
function Test-Null($InputObject) { return !([bool]$InputObject) }
$ADuser = ([ADSISearcher]"(&(objectCategory=User)(SAMAccountName=$env:username))").FindOne().Properties
$ADuser_photo = $ADuser.thumbnailphoto
$ADuser_sid = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value
If ((Test-Null $ADuser_photo) -eq $false) {
$img_sizes = @(32, 40, 48, 96, 192, 200, 240, 448)
$img_mask = "Image{0}.jpg"
$img_base = "C:\ProgramData\AccountPictures"
$reg_base = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\{0}"
$reg_key = [string]::format($reg_base, $ADuser_sid)
$reg_value_mask = "Image{0}"
If ((Test-Path -Path $reg_key) -eq $false) { New-Item -Path $reg_key }
Try {
ForEach ($size in $img_sizes) {
$dir = $img_base + "\" + $ADuser_sid
If ((Test-Path -Path $dir) -eq $false) { $(mkdir $dir).Attributes = "Hidden" }
$file_name = ([string]::format($img_mask, $size))
$path = $dir + "\" + $file_name
Write-Verbose " saving: $file_name"
$ADuser_photo | Set-Content -Path $path -Encoding Byte -Force
$name = [string]::format($reg_value_mask, $size)
$value = New-ItemProperty -Path $reg_key -Name $name -Value $path -Force
}
}
Catch {
Write-Error "Check permissions to files or registry."
}
}

The script gets the value of thumbnailphoto attribute of the current AD user and saves it to C:\ProgramData\AccountPictures\{User SID}. The folder will contain files with pictures to suit different formats: image32.jpg, image40.jpg, etc.

ProgramData AccountPictures

The registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\{User_SID} contains a bind image file with account pictures.

AccountPicture

Running PowerShell Script Using GPO

Now we want SetADPicture.ps1 to run during user logon. It is easier to do it using a logon script of the GPO.

To do it, in User Configuration -> Policiles -> Windows Settings ->Scripts (Logon/Logoff) create a new logon script running PowerShell script:

The script name: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe

The script parameters: -Noninteractive -ExecutionPolicy Bypass -Noprofile -File %logonserver%\netlogon\script\SetADPicture.ps1

run powershell script via gpo

Important. In advance, copy SetADPicture.ps1 to netlogon\script\ folder on the domain controller.

You just have to link the policy to the specific OUs, log off and login to the Windows again.

window 10 account picture from active directory

An avatar will be assigned to the user, and it will be correctly displayed as an account picture of the Windows user after the next logon.

Previous:
Next:
Related Articles