Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / How to Use AD Photo as User Profile Picture in Windows 10?

October 22, 2019 Active DirectoryGroup PoliciesWindows 10Windows Server 2016

How to Use AD Photo as User Profile Picture in Windows 10?

Outlook, SharePoint, Skype for Business, Office365 and other Microsoft apps allow you to use an Active Directory (or Azure AD) photo of the currently logged-in user as a user avatar in their interface. In this article, we will show you how to use the Group Policy and PowerShell script to set the user photo from Active Directory as a user profile picture (avatar) in Windows 10 ( Windows profile picture is displayed on the Lock Screen, Welcome Screen, in the Start Menu, etc).

Our script will work as follows: when a user logs on to the Windows 10, a PowerShell script must be run; it  gets the user’s photo from the thumbnailPhoto user attribute in Active Directory, saves the image file to a local drive and sets this file as the user account picture in the current profile. The solution should work on all supported clients: Windows 10, 8.1, 7 and on RDS hosts running Windows Server 2016/2012 R2.

Contents:
  • How to Set Photo for an Active Directory User?
  • Providing Permissions to Users to Change Profile Picture in Windows
  • PowerShell Script to Get the AD User’s Photo and Set the User Profile Picture in Windows 10
  • Running PowerShell Script to Bind Photos to a Profile Using GPO

How to Set Photo for an Active Directory User?

First of all, set photos for AD users by uploading image files to a special user’s attribute thumbnailPhoto. You can set user photos by using third-party tools, or using the ActiveDirectory module for Windows PowerShell. Please note that the maximum avatar image file size must not exceed 100 Kb with the image resolution up to 96 × 96 pixels. You can set the AD account image for a user jchan as follows:

$photo = [byte[]](Get-Content C:\PS\jchan_photo.jpg -Encoding byte)
Set-ADUser jchan -Replace @{thumbnailPhoto=$photo}

windows account picture from ad thumbnailPhoto

We have considered in detail how to manage AD user photos using PowerShell in the article How to Import User Photo to Active Directory.

Providing Permissions to Users to Change Profile Picture in Windows

In Windows 10 you can set the user account profile picture through the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users. However, non-admin users don’t have the necessary permissions to add values to this registry key. To allow users without administrator privileges to change the profile picture, you must grant them write permissions to this registry key.

It is easier to deploy the registry key permissions in AD domain using GPO:

  1. To do this, run the Group Policy Management console (gpmc.msc), create a new policy and link it to the OU with users’ computers;
  2. Then in the GPO editor go to the following section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Registry and add a new registry key (Add key) with the path MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users;AccountPicture registry key via GPO
  3. Then, in the Security tab, check the Full Control permissions for all domain users ( [DomainName]\Users) and click OK;
  4. In the next window, select the option Replace existing permission on all sub keys with inheritable permissions, otherwise users won’t have any privileges for the nested registry subkeys.setting registry permissions via GPO

PowerShell Script to Get the AD User’s Photo and Set the User Profile Picture in Windows 10

Then we need to run a PowerShell script that should get a photo of the current user from Active Directory, save it in a jpg file and set it as a Windows user profile picture. There are two ways to get user photo from AD. You can use the Get-ADUser cmdlet from the ActiveDirectory module (this module must be installed on all computers via RSAT, or you can just copy the necessary RSAT-AD-PowerShell module files without installing RSAT). Since the script has to be universal and work in Windows 7 as well, we won’t use the RSAT-AD-PowerShell module, but we will access AD through the ADSISearcher C# class.

An example of the SetADPicture.ps1 script to get a user’s photo from AD and set it as a Windows account avatar picture is given below:

[CmdletBinding(SupportsShouldProcess=$true)]Param()
function Test-Null($InputObject) { return !([bool]$InputObject) }
$ADuser = ([ADSISearcher]"(&(objectCategory=User)(SAMAccountName=$env:username))").FindOne().Properties
$ADuser_photo = $ADuser.thumbnailphoto
$ADuser_sid = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value
If ((Test-Null $ADuser_photo) -eq $false) {
$img_sizes = @(32, 40, 48, 96, 192, 200, 240, 448)
$img_mask = "Image{0}.jpg"
$img_base = "C:\Users\Public\AccountPictures"
$reg_base = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\{0}"
$reg_key = [string]::format($reg_base, $ADuser_sid)
$reg_value_mask = "Image{0}"
If ((Test-Path -Path $reg_key) -eq $false) { New-Item -Path $reg_key }
Try {
ForEach ($size in $img_sizes) {
$dir = $img_base + "\" + $ADuser_sid
If ((Test-Path -Path $dir) -eq $false) { $(mkdir $dir).Attributes = "Hidden" }
$file_name = ([string]::format($img_mask, $size))
$path = $dir + "\" + $file_name
Write-Verbose " saving: $file_name"
$ADuser_photo | Set-Content -Path $path -Encoding Byte -Force
$name = [string]::format($reg_value_mask, $size)
$value = New-ItemProperty -Path $reg_key -Name $name -Value $path -Force
}
}
Catch {
Write-Error "Check permissions to files or registry."
}
}

The script gets the value of thumbnailphoto attribute of the current AD user and saves it to the local folder C:\Users\Public\AccountPictures\{User SID}. The folder will contain files with picture file with different resolutions (from 32×32 to 448×448 pixels) for different Windows 10 interface elements: image32.jpg, image40.jpg, etc.

ProgramData AccountPictures

The binding of photos to the user profile is performed via the parameter in the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\{User_SID}.

AccountPicture

Running PowerShell Script to Bind Photos to a Profile Using GPO

Now we want to run the SetADPicture.ps1 script when a user logon to Windows. It is easier to do it using a GPO logon script.

To do it, in the previously created policy in the section User Configuration -> Policies -> Windows Settings -> Scripts (Logon/Logoff) create a new PowerShell logon script:

  • The script name: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe
  • The script parameters: -Noninteractive -ExecutionPolicy Bypass -Noprofile -File %logonserver%\netlogon\script\SetADPicture.ps1

run powershell script via gpo

Important. The SetADPicture.ps1 script must be previously copied to the netlogon\script\ folder on the domain controller.

In the policy settings, enable the GPO loopback processing mode (Computer Configuration -> Administrative Templates -> System -> Group Policy -> Configure user Group Policy Loopback Processing mode = Merge). In this mode, you can apply the policy to OU with user accounts.gpo - enable loopback processing mode

You just have to link the policy to the specific OUs, log off and log in to the Windows again.

To diagnose GPO on target computers, use the gpresult tool and the article “Group Policy not applying”.

window 10 account picture from active directory

An avatar will be assigned to the Windows 10 user profile, and it will be correctly displayed as an account picture in the Start menu, on the Welcome Screen and other places after the next logon. This profile photo assignment guide has been tested on Windows 10 LTSC (1809).

3 comments
1
Facebook Twitter Google + Pinterest
previous post
Fix: Saved RDP Credentials Didn’t Work in Windows
next post
Active Directory Dynamic User Groups with PowerShell

Related Reading

Create Organizational Units (OU) Structure in Active Directory...

May 17, 2022

Windows Security Won’t Open or Shows a Blank...

May 17, 2022

How to Manually Install Windows Updates from CAB...

May 16, 2022

RDS and RemoteApp Performance Issues on Windows Server...

May 16, 2022

Deploying Software (MSI Packages) Using Group Policy

May 12, 2022

3 comments

Huiwoo November 3, 2017 - 8:26 am

Hi I tried all your steps it works on Windows server 2016 but the picture doesnt show on Windows 7 client

Please advise

Reply
JamD November 17, 2017 - 5:07 am

You can setup picture from AD on Windows 7 client with the help of tool https://adusertile.codeplex.com/

“Project Description

When you deploy user pictures in AD, using thumbnailPhoto atribute, and visible in Lync or Exchange address book, they are not by default set on User Tile in logon screen or explorer of Windows 7 or Windows Vista.
This program runs as GPO startup script, and sets user tile from Active Directory”

Reply
elcarter July 28, 2020 - 4:04 pm

Good afternoon, thank you for your collaboration, I am writing to you from Venezuela, I am telling you: the Scripts works perfectly in Windows 10, but I wanted to see if they can help me with anything, starting the session with the user the image of perfir loads without problem the detail is that it looks pixelated and does not have the sharpness, I wanted to know if you know if there is an option in the Scripts to make the image look sharper, thanks in advance I will be attentive to your comments …

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • PowerShell
  • VMWare
  • Hyper-V
  • MS Office

Recent Posts

  • Create Organizational Units (OU) Structure in Active Directory with PowerShell

    May 17, 2022
  • Windows Security Won’t Open or Shows a Blank Screen on Windows 10/ 11

    May 17, 2022
  • How to Manually Install Windows Updates from CAB and MSU Files?

    May 16, 2022
  • RDS and RemoteApp Performance Issues on Windows Server 2019/2016

    May 16, 2022
  • Deploying Software (MSI Packages) Using Group Policy

    May 12, 2022
  • Updating VMware ESXi Host from the Command Line

    May 11, 2022
  • Enable or Disable MFA for Users in Azure/Microsoft 365

    April 27, 2022
  • Fix: You’ll Need a New App to Open This Windows Defender Link

    April 27, 2022
  • How to Reset an Active Directory User Password with PowerShell and ADUC?

    April 27, 2022
  • How to Completely Uninstall Previous Versions of Office with Removal Scripts?

    April 26, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Allow RDP Access to Domain Controller for Non-admin Users
  • How to Find the Source of Account Lockouts in Active Directory domain?
  • Get-ADComputer: Find Computer Details in Active Directory with PowerShell
  • Deploy PowerShell Active Directory Module without Installing RSAT
  • Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
  • Changing Desktop Background Wallpaper in Windows through GPO
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top