Active Directory user accounts have a special thumbnailPhoto attribute that can be used to store a user’s photo. These photos can be displayed as user avatars in apps such as Outlook, OWA, Word, Excel, Lync/Skype for Business, Teams, SharePoint (and others). These photos can also be used as Windows user account pictures.
The user’s photo is stored in binary form in the thumbnailPhoto attribute. The AD administrator can use PowerShell, the ADUC snap-in with an extension, or third-party tools to upload a JPEG file containing a user photo to this AD attribute. Most apps use the user’s photo from the thumbnailPhoto attribute.
Required AD schema – 2008 or later. The maximum size of a user’s photo in the thumbnailPhoto attribute should not exceed 100KB. However, it is recommended to use a JPEG graphic file with a size of up to 10 KB and an extension of 96×96 pixels. The size of the AD database file (NTDS.DIT) and replication traffic between domain controllers can increase significantly when using large user photos. To store high-quality images in AD, the jpegPhoto attribute is used (we will not use it in this article).
How to Add/Update a User Photo in AD Using PowerShell
To upload a user’s photo to the thumbnailPhoto AD attribute, use the Set-ADUser cmdlet from the Active Directory for Windows PowerShell module (which is part of the RSAT administration tools). First, convert the graphic image file (JPG, BMP, or PNG format) to binary (byte array) format:
$photo = [byte[]](Get-Content C:\PS\jkuznetsov_photo.jpg -Encoding byte)
Then upload a photo to the AD user attribute:
Set-ADUser jkuznetsov -Replace @{thumbnailPhoto=$photo}
Also, you can do the same with a PowerShell one-liner:
Set-ADUser jkuznetsov -Replace @{thumbnailPhoto=([byte[]](Get-Content "C:\ps\jkuznetsov_photo.jpg" -Encoding byte))}
Once the directory replication is complete (and the GAL is updated in the case of Exchange), the user’s photo from the Active Directory will be displayed in Outlook, Lync, OWA, etc.
Open the user properties in the Active Directory Users and Computers (ADUC) console, go to the Attribute Editor tab, and check that the thumbnailPhoto attribute now contains a value.
By default, photos can be uploaded to Active Directory by the user itself or by an administrator. You can grant other users or groups the privileges to update thumbnail photos in AD using the Delegation of Control wizard (grant the Write thumbnailPhoto permission).
If you need to bulk import photos to multiple AD users at once, prepare a coma-separated CSV file with a list of user accounts and paths to JPG files in the following format:
AD_username, Photo asmith, C:\PS\asmith.jpg [email protected], C:\PS\klinton.jpg jkuznetsov, C:\PS\jkuznetsov.png
The following PowerShell one-liner imports a list of users from a CSV file and updates their photos in Active Directory:
Import-Csv C:\PS\import.csv |%{Set-ADUser -Identity $_.AD_username -Replace @{thumbnailPhoto=([byte[]](Get-Content $_.Photo -Encoding byte))}}
To find AD users who are missing a photo, run:
Get-ADUser -Filter * -properties thumbnailPhoto | ? {(-not($_.thumbnailPhoto))} | select Name
If you need to save a user’s photo from AD and export it to a JPG image file, first select the account using Get-ADUser:
$ADuser = Get-ADUser jkuznetsov -Properties thumbnailPhoto
Then save the byte value of the thumbnailPhoto attribute to a JPG file:
$ADuser.thumbnailPhoto | Set-Content c:\PS\jkuznetsov.jpg -Encoding byte
Import User Photos to Exchange with PowerShell or Outlook Web Access
If you have deployed an on-prem Exchange Server 2019, 2016, or 2013, you must use the Set-UserPhoto cmdlet instead of Set-ADUser to upload pictures. The cmdlet imports the photo into the user’s mailbox and updates the thumbnailPhoto attribute.
If used in PowerShell scripts, you must first load the Exchange Management Shell (EMS) module.
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
Set-UserPhoto -Identity jkuznetsov -PictureData ([System.IO.File])::ReadAllBytes("C:\PS\jkuznetsov_photo.jpg") -Confirm:$False
To remove a thumbnail photo from Active Directory, use the command:
Remove-UserPhoto -Identity jkuznetsov
Import-RecipientDataProperty -Identity jkuznetsov -Picture -FileData ([Byte[]] $(Get-Content -Path "C:\PS\jkuznetsov_photo.jpg" -Encoding Byte -ReadCount 0))
To upload user photos to AD in Exchange Online (Microsoft 365), you must use the new Microsoft Graph cmdlet instead of Set-UserPhoto.
Set-MgUserPhotoContent -UserId <userId> -Infile "C:\ps\[email protected]"
Users can also change their profile photos via Outlook Web Access (OWA). Open your mailbox via OWA, click on your account in the top right corner, select Edit information -> Photo -> click the Change button, and specify the path to the jpeg file containing the user photo.
Adding a Photo Tab to the Active Directory Users and Computers Console
For those unfamiliar with PowerShell, third-party graphical tools can be used to upload and manage user photos in AD. CodeTwo Active Directory Photos and AD Photo Edit are the most popular tools for AD photo management. However, many sysadmins are wary of using third-party software to make changes to AD because of security concerns.
I prefer using a small AdExt.dll library that adds a separate tab for uploading a photo directly to the ADUC console. You can download the AdExt.dll library here – AdExt-dll-ADUC.zip
To register the library, open a command prompt as an administrator and change to the .Net Framework directory:
- Windows x86 :
cd %WinDir%\Microsoft.NET\Framework\v2.0.50727 - Windows x64 :
cd %WinDir%\Microsoft.NET\Framework64\v4.0.30319
Install the library using the command:
InstallUtil.exe c:\ps\ad\AdExt.dll
Restart the ADUC snap-in (dsa.msc) and then open the properties of any user. A new Photo tab should appear in the console, allowing you to add or remove a user’s profile picture.
To remove (unregister) the AdExt.dll library, run the command:
InstallUtil.exe /u c:\ps\ad\AdExt.dll
The AdExt.dll provides two ways to upload photos from the Photo tab:
- Upload a photo to the thumbnail attribute. The image file is automatically reduced to a resolution of 96 x 96 pixels with a maximum size of 10 KB.
- jpegPhoto – allows to upload a good quality image to the jpegPhoto attribute (rarely used).
14 comments
Well articulated.
Thank you for sharing this informative post.
By the way, one can also checkout this free Lepide AD bulk image editor tool which helps to manage such AD tasks without having any interruption.
great!
so, if I need change a hundred users, how can I do it?
Read section “Bulk Import pictures to AD”.
You need to prepare a csv file with two columns: login AD user and path to jpg file with photo
Than you can set up photo for this list of users using one command:
Import-Csv C:\PS\import.csv |%{Set-ADUser -Identity $_.AD_username -Replace @{thumbnailPhoto=([byte[]](Get-Content $_.Photo -Encoding byte))}}
Be advised, copycat sighted:
_https://techedge.nl/2017/12/10/how-to-import-user-photo-to-active-directory-using-powershell/
Thanks for the info, but there is no legal means to protect against such a copycatting 🙁
Hi, I know this is an old post but really appreciate the info.
What AD permissions are minimum to allow this photo change? I don’t want the person doing the work to be a domain admin for example.
Thanks
For a non-admin user to be able to modify the photos of other users in AD, you must delegate the Write thumbnailPhoto permission . (Check the property-specific checkboxes “Read thumbnailPhoto” and “Write thumbnailPhoto” on the Permissions of the AD delegation wizard)
In newer and current version of PS ‘-Encoding byte’ is not valid anymore. So, unfortunately, this script won’t run.
Doesn’t want to work for me. I’m installing on Windows 10 21H1 using an elevated cmd.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>InstallUtil.exe c:\ps\ad\AdExt.dll
Microsoft (R) .NET Framework Installation utility Version 4.8.4084.0
Copyright (C) Microsoft Corporation. All rights reserved.
Exception occurred while initializing the installation:
System.IO.FileLoadException: Could not load file or assembly ‘file:///c:\ps\ad\AdExt.dll’ or one of its dependencies. Operation is not supported. (Exception from HRESULT: 0x80131515).
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>
Mine Installed with no errors but the Tab is not showing. I am also showing the Advanced features under ADUC. My ADUC is a feature on demand version, not sure if that matters for this or not.
thank you very much 😡
that was supposed to be a kiss face not an angry face lol
For PS6 and above, replace ‘-Encoding byte’ with ‘-AsByteStream’
We use an application called Actrive Directory Photos, by CodeTwo. It is free and works great. I have been using it for several years now.