How to Use AD Photo as User Profile Picture in Windows 10?

Outlook, SharePoint, Skype for Business, Office365 and other Microsoft apps allow you to use an Active Directory (or Azure AD) photo of the currently logged-in user as a user avatar in their interface. In this article, we will show you how to use the Group Policy and PowerShell script to set the user photo from Active Directory as a user profile picture (avatar) in Windows 10 ( Windows profile picture is displayed on the Lock Screen, Welcome Screen, in the Start Menu, etc).

Our script will work as follows: when a user logs on to the Windows 10, a PowerShell script must be run; it  gets the user’s photo from the thumbnailPhoto user attribute in Active Directory, saves the image file to a local drive and sets this file as the user account picture in the current profile. The solution should work on all supported clients: Windows 10, 8.1, 7 and on RDS hosts running Windows Server 2016/2012 R2.

How to Set Photo for an Active Directory User?

First of all, set photos for AD users by uploading image files to a special user’s attribute thumbnailPhoto. You can set user photos by using third-party tools, or using the ActiveDirectory module for Windows PowerShell. Please note that the maximum avatar image file size must not exceed 100 Kb with the image resolution up to 96 × 96 pixels. You can set the AD account image for a user jchan as follows:

$photo = [byte[]](Get-Content C:\PS\jchan_photo.jpg -Encoding byte)
Set-ADUser jchan -Replace @{thumbnailPhoto=$photo}

Providing Permissions to Users to Change Profile Picture in Windows

In Windows 10 you can set the user account profile picture through the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users. However, non-admin users don’t have the necessary permissions to add values to this registry key. To allow users without administrator privileges to change the profile picture, you must grant them write permissions to this registry key.

It is easier to deploy the registry key permissions in AD domain using GPO:

1. To do this, run the Group Policy Management console (gpmc.msc), create a new policy and link it to the OU with users’ computers;
2. Then in the GPO editor go to the following section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Registry and add a new registry key (Add key) with the path MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users;
3. Then, in the Security tab, check the Full Control permissions for all domain users ( [DomainName]\Users) and click OK;
4. In the next window, select the option Replace existing permission on all sub keys with inheritable permissions, otherwise users won’t have any privileges for the nested registry subkeys.

PowerShell Script to Get the AD User’s Photo and Set the User Profile Picture in Windows 10

Then we need to run a PowerShell script that should get a photo of the current user from Active Directory, save it in a jpg file and set it as a Windows user profile picture. There are two ways to get user photo from AD. You can use the Get-ADUser cmdlet from the ActiveDirectory module (this module must be installed on all computers via RSAT, or you can just copy the necessary RSAT-AD-PowerShell module files without installing RSAT). Since the script has to be universal and work in Windows 7 as well, we won’t use the RSAT-AD-PowerShell module, but we will access AD through the ADSISearcher C# class.

An example of the SetADPicture.ps1 script to get a user’s photo from AD and set it as a Windows account avatar picture is given below:

[CmdletBinding(SupportsShouldProcess=$true)]Param()
function Test-Null($InputObject) { return !([bool]$InputObject) }
$ADuser = ([ADSISearcher]"(&(objectCategory=User)(SAMAccountName=$env:username))").FindOne().Properties
$ADuser_photo = $ADuser.thumbnailphoto
$ADuser_sid = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value
If ((Test-Null $ADuser_photo) -eq $false) {
$img_sizes = @(32, 40, 48, 96, 192, 200, 240, 448)
$img_mask = "Image{0}.jpg"
$img_base = "C:\Users\Public\AccountPictures"
$reg_base = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\{0}"
$reg_key = [string]::format($reg_base, $ADuser_sid)
$reg_value_mask = "Image{0}"
If ((Test-Path -Path $reg_key) -eq $false) { New-Item -Path $reg_key }
Try {
ForEach ($size in $img_sizes) {
$dir = $img_base + "\" + $ADuser_sid
If ((Test-Path -Path $dir) -eq $false) { $(mkdir $dir).Attributes = "Hidden" }
$file_name = ([string]::format($img_mask, $size))
$path = $dir + "\" + $file_name
Write-Verbose " saving: $file_name"
$ADuser_photo | Set-Content -Path $path -Encoding Byte -Force
$name = [string]::format($reg_value_mask, $size)
$value = New-ItemProperty -Path $reg_key -Name $name -Value $path -Force
}
}
Catch {
Write-Error "Check permissions to files or registry."
}
}

The script gets the value of thumbnailphoto attribute of the current AD user and saves it to the local folder C:\Users\Public\AccountPictures\{User SID}. The folder will contain files with picture file with different resolutions (from 32×32 to 448×448 pixels) for different Windows 10 interface elements: image32.jpg, image40.jpg, etc.

The binding of photos to the user profile is performed via the parameter in the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\{User_SID}.

Running PowerShell Script to Bind Photos to a Profile Using GPO

Now we want to run the SetADPicture.ps1 script when a user logon to Windows. It is easier to do it using a GPO logon script.

To do it, in the previously created policy in the section User Configuration -> Policies -> Windows Settings -> Scripts (Logon/Logoff) create a new PowerShell logon script:

• The script name: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe
• The script parameters: -Noninteractive -ExecutionPolicy Bypass -Noprofile -File %logonserver%\netlogon\script\SetADPicture.ps1

In the policy settings, enable the GPO loopback processing mode (Computer Configuration -> Administrative Templates -> System -> Group Policy -> Configure user Group Policy Loopback Processing mode = Merge). In this mode, you can apply the policy to OU with user accounts.

You just have to link the policy to the specific OUs, log off and log in to the Windows again.

An avatar will be assigned to the Windows 10 user profile, and it will be correctly displayed as an account picture in the Start menu, on the Welcome Screen and other places after the next logon. This profile photo assignment guide has been tested on Windows 10 LTSC (1809).