Managing User Photos in Active Directory

Active Directory has a few binary attributes associated with users that allow you to store their images as binary data.  These attributes are called “thumbnailPhoto” (http://msdn.microsoft.com/en-us/library/cc221395(v=prot.10).aspx) and “jpegPhoto” (https://msdn.microsoft.com/en-us/library/cc221100.aspx).    The “thumbnailPhoto” attribute is limited to 100K while the “jpegPhoto” attribute is technically unlimited (though it’s good to keep those images small).   The existence of two attributes can be confusing when managing user photos in Active Directory

Outlook/Exchange Server and Lync both make use of “thumbnailPhoto” to display images which can be a friendly way to know what the person looks like who you’re sending that friendly email or IM.  You can also use either attribute to populate one’s Windows Start menu and login screen images.  Sharepoint can be configured to make use of either attribute.

Managing User Photos in Active Directory:  The Old Way

Today, by default, Microsoft Server OS tools including Active Directory Users and Computers (ADUC) and ADSI Edit do not include a way to choose images to populate for these attributes.  A cursory google search gives us some free and relatively inexpensive tools and ad hoc scripts to upload photos for oneself but these tools generally don’t allow you to delegate this work to other users (like HR or even empowering users to manage their own photos) without some work.  If you can get them to work to delegate the job they still require a software download and install (and license purchase if it’s not free) for each user you want to enable to manage these images.  These are not web-based tools.

Another alternative in getting these images in would be to write powershell scripts:  this requires coding and is not delegation friendly.

Web Active Directory’s Script-less Alternative

Web Active Directory’s PeopleUpdate and PeopleSearch allows you to display images for your users either from disk (using an Active Directory attribute you specify to point to the file location or URL of the image) or from either of the two attributes “thumbnailPhoto” or “jpegPhoto”.  PeopleUpdate allows you to manage and/or delegate the management of these images from the same friendly web-based GUI that allows you to manage any other LDAP attribute.  This means you can see and edit these attributes at the user level yourself or delegate this job to whom you choose all without a software install on anyone’s end.