In this article we’ll show how to get a user photo from Active Directory and use it as user account picture in Windows (displayed on logon and the lock screen, in the start menu, etc.) The algorithm should work as follows: during user logon, the system must receive a user image from thumbnailPhoto attribute in Active Directory, save it on the disk and set as user account picture. The solution should work on all supported clients: Windows 10, Windows 8 and Windows 7.
Import User Photo to Active Directory
So, first of all, set photos of all AD users by populating a special attribute thumbnailPhoto for every user. We have considered in detail how to do it using PowerShell scripts in the article How to Import User Photo to Active Directory.
Providing Permissions to Users to Change Profile Picture
To let users without administrator privileges make changes to the registry branch, in which the path to user profile picture is set, you need to give them permissions to edit the following key of the registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users.
It is easier to do it using GPO. Create a new policy and link it to the OU containing user computers.
Then go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Registry and add a new key (Add key) with the path MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users
Then, in the Security tab, check Full Control for all domain users ( [DomainName]\Users) and click OK. In the next window, select Replace Existing permission on all sub keys with inheritable permissions, otherwise users won’t have any privileges for the subkeys.
Script of Getting a User Photo from AD and Setting an Account Picture
Then we need a script, which would export the photo of the current user from Active Directory, save it as a JPG file and set it as the user account picture. Since the script has to be universal and work in Windows 7 as well, we cannot use Get-ADUser cmdlet from ActiveDirectory module. It is possible to query AD using ADSISearcher type.
A sample of SetADPicture.ps1 script is given below:
[CmdletBinding(SupportsShouldProcess=$true)]Param()
function Test-Null($InputObject) { return !([bool]$InputObject) }
$ADuser = ([ADSISearcher]"(&(objectCategory=User)(SAMAccountName=$env:username))").FindOne().Properties
$ADuser_photo = $ADuser.thumbnailphoto
$ADuser_sid = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value
If ((Test-Null $ADuser_photo) -eq $false) {
$img_sizes = @(32, 40, 48, 96, 192, 200, 240, 448)
$img_mask = "Image{0}.jpg"
$img_base = "C:\ProgramData\AccountPictures"
$reg_base = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\{0}"
$reg_key = [string]::format($reg_base, $ADuser_sid)
$reg_value_mask = "Image{0}"
If ((Test-Path -Path $reg_key) -eq $false) { New-Item -Path $reg_key }
Try {
ForEach ($size in $img_sizes) {
$dir = $img_base + "\" + $ADuser_sid
If ((Test-Path -Path $dir) -eq $false) { $(mkdir $dir).Attributes = "Hidden" }
$file_name = ([string]::format($img_mask, $size))
$path = $dir + "\" + $file_name
Write-Verbose " saving: $file_name"
$ADuser_photo | Set-Content -Path $path -Encoding Byte -Force
$name = [string]::format($reg_value_mask, $size)
$value = New-ItemProperty -Path $reg_key -Name $name -Value $path -Force
}
}
Catch {
Write-Error "Check permissions to files or registry."
}
}
The script gets the value of thumbnailphoto attribute of the current AD user and saves it to C:\ProgramData\AccountPictures\{User SID}. The folder will contain files with pictures to suit different formats: image32.jpg, image40.jpg, etc.
The registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\{User_SID} contains a bind image file with account pictures.
Running PowerShell Script Using GPO
Now we want SetADPicture.ps1 to run during user logon. It is easier to do it using a logon script of the GPO.
To do it, in User Configuration -> Policiles -> Windows Settings ->Scripts (Logon/Logoff) create a new logon script running PowerShell script:
The script name: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe
The script parameters: -Noninteractive -ExecutionPolicy Bypass -Noprofile -File %logonserver%\netlogon\script\SetADPicture.ps1
You just have to link the policy to the specific OUs, log off and login to the Windows again.
An avatar will be assigned to the user, and it will be correctly displayed as an account picture of the Windows user after the next logon.
Leave a Reply