The thumbnailPhoto Active Directory Attribute Explained

November 3, 2010 — 35 Comments

There seems to be a bit of confusion and general lack of good information on the web regarding the thumbnailPhoto Active Directory attribute that Outlook 2010 uses to show user/contact pictures. As I’m making a program that lets you upload images to this attribute (see this post) I have learnt a fair bit about it and thought I would just clear up a few things.

1. The thumbnailPhoto attribute size limit is not 10 KB. It is 100 KB and it always has been since it was introduced in Windows 2000 Active Directory. Note that the Powershell cmdlets that come with Exchange 2010 do not let you upload an image larger than 10 KB though (my AD Photo Edit application does not have this limitation).

2. You don’t need Exchange 2010 to make use of the Outlook 2010 user photos feature. You only need Outlook 2010 and a forest that has had its schema extended to the 2008 version or later. This does not mean you need to have any 2008 domain controllers or even any 2008 servers in your domain (but you will need a 2008 disc to run adprep from to extend the schema).

3. You don’t necessarily have to go and modify the thumbnailPhoto attribute in the AD schema to make it replicate to the Global Catalog like most articles seem to insist. This is only required if you have more than one domain in your environment.

4. It is possible for regular (non admin) users to update their own photo and also for a regular user to update other user’s photos (you might want your HR people to do this for example). I’ll explain how to make the latter possible in a minute but firstly lets look at how a user can update their own photo.

User Updating Their Own Photo

Users have permission to update their own thumbnailPhoto attribute, so if you installed my AD Photo Edit program on their PC they would be able to use it to update their own photo (and no one else’s because they would just get an access denied error if they tried). Of course for the average end user this may be a little over complicated because all they basically want to do is select an image file and click a button and have it automatically select their account and upload the image. So if enough people request it then I may make a special version of AD Photo Edit that is aimed specifically at end users and simply lets them select an image (and you would be able to limit the size of the image they could choose or have it automatically resize the image) and then it uploads it to their account. If you think this would be worth making, let me know – cwright@cjwdev.co.uk

User Updating Other User’s Photos

You might decide that you don’t want the IT department to be responsible for uploading and updating everyone’s photos in AD so it might be necessary for a regular user (such as a member of HR) to update other user’s photos. This requires some minor permissions changes which are outlined below and then its just a case of getting the user who is going to be updating the photos to run a program that can upload images into the thumbnailPhoto attribute – yes I’m going to plug it one more time: my AD Photo Edit program is ideal for this :)

So what are the permissions changes that are required? Well, first of all I would suggest creating a new security group for this  and then adding the relevant user(s) to this rather than granting an individual user these permissions, as this makes it easier to manage in the future. In this example we will assume you have a group named PhotoEditors and this contains all of the users that should be allowed to edit other user’s photos.

First of all lets see what happens when we log on as a user that is a member of our PhotoEditors group and try to update someone else’s picture. We get a “General access denied” error:

image

So now we need to go into Active Directory Users & Computers and find the OU that contains all of the users we want the PhotoEditors group members to be able to edit photos for (the permissions changes will affect subcontainers/subOUs as well by default). Once you have located the OU, make sure you have Advanced Features visible by going to the View menu and making sure Advanced Features is ticked:

image

Now with that enabled, right click on the OU you wanted to apply these permissions to and select Properties, then click the Security tab (this is not visible if you do not have Advanced Features enabled).

image

Click the Advanced button at the bottom of the window and then click the Add button in the new window that appears. Enter the name of your group that contains all of the users that should be allowed to edit photos for users in this OU, and then click OK.

In the new window that appears click the Properties tab and then change the Apply Onto drop down to “User objects” :

image

Now in that same window scroll all the way down the permissions list until you see “Write thumbnailPhoto” and put a check in the Allow box for this permission and then click OK.

 

image

Note that if you only want these permissions to apply to users in this OU and not in sub OUs then you can tick the box at the bottom of this window before clicking OK.

Click OK out of any other permissions editor windows that are still open and that’s it. Now if we go back and try updating another user’s photo as that same user account we used before (that is a member of our PhotoEditors group) we can see that we no longer get a permissions error:

image

and just to confirm the image was successfully updated, lets open Outlook and view an email from the user we just modified:

image

And there’s our lovely updated sunset photo!

So as you can see, it is really quite easy to allow regular non-admin users to modify photos for other users… so hopefully that gets some of you out of hours of boring photo uploading :P

 

I’ll put another post up when AD Photo Edit is finished and available for public download… should be early next week.

As always, would love to hear any feedback you have on either the program or anything else mentioned in this post :)

35 responses to The thumbnailPhoto Active Directory Attribute Explained

  1. 

    Picture (thumbnailPhoto) is part of the Personal Information property set in AD (http://technet.microsoft.com/en-us/library/cc755430(WS.10).aspx). The default security descriptor for user (http://msdn.microsoft.com/en-us/library/ms683980(v=vs.85).aspx) allows SELF to write to Personal Information (OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS). So by default, users should be able to write to their own picture.

    • 

      I originally thought they could as well, but trust me a standard user cannot edit their thumbnailPhoto attribute (annoyingly). Try it yourself if you don’t believe me :)

      • 

        I’ve tried it on many installs of Active Directory. I haven’t seen a case where you can’t. You’d have to validate what the SELF ACE on the user is set to and what you have in Personal Information property set. I’ve been designing and running AD for 10 years. Trust me :)

  2. 

    Hmm well I’m going to have to have a look into this tonight, as I originally thought that you could do it as a normal user but then someone sent me an email saying that this was not the case and when I tried it I found that they were correct – I just got access denied. When I looked at the SELF ACE on a user I found they did not have “Write thumbnailPhoto” allowed so I updated this blog post to say that you can’t do it by default. I’ll have another look tonight though…

  3. 

    Well it looks like you were right! :) I just tried updating a user’s own photo whilst logged in as them and it worked fine. I’m just puzzled as to why I got access denied when I tested it before and why someone else emailed me to say it was not possible as well… Anyway I’ll do a little more testing and then update the blog post. Thanks :)

  4. 

    there is also an attribute “thumbnaillogo” what is this for?

    • 

      Is there? I’ve never heard of that and I can’t see it on MSDN anywhere. Regardless though, there are loads of attributes in AD that simply don’t get used by anything so it could just be another one that Microsoft and third party developers never found a use for

  5. 

    I used AD Photo Edit to update my photo. But the old photo came back the next day. I guess it is something related to your #3 above (“You don’t necessarily have to go and modify the thumbnailPhoto attribute in the AD schema…”)
    Specificically what do I need to do to modify the attribute in the AD schema so that my old phone won’t come back?

    • 

      Hi Lee,

      Strange that you should mention that as someone else emailed me today with the same problem (some of their photos are disappearing completely after a few days). I’m afraid I have no idea why this is happening but I can assure you it is nothing to do with my program, there is no way it can “accidentally” remove or replace photos without you specifically telling it to. If you do have multiple domains and haven’t done the schema modification mentioned here then you should do it but I don’t think that would cause this problem to be honest: http://blogs.technet.com/b/exchange/archive/2010/03/10/gal-photos-in-exchange-2010-and-outlook-2010.aspx

      There is nothing special that you should need to do for the photos to stay there permanently, the thumbnailPhoto attribute is no different to any other attribute on your user account. As far as I can see, the only way it could be changed without you changing it is either A) someone else changing it, or B) replication problems in your AD causing the new value to get overwritten with an older value from another DC

      Sorry I can’t be of more help

  6. 

    Hi there, first up – great little app! :)
    One question: I want to disable users from being able to change their own pictures in AD. Do you know where the permission is defined to allow users to change their own picture?

    • 

      Hi Adam,
      I’m not sure off the top of my head where it is defined, but you could always just deny that permission to the “SELF” security principal (SELF represents the user account that it is applied to) for all accounts in a specific OU and this should override the default allow permission and stop users being able to modify their own thumbnailPhoto attribute

  7. 

    Does anyone know if it is possible to point to a location on the network for the jpg picture? I do not like the idea of increasing the size of the AD database file.

    • 

      I’m pretty sure that’s not possible (assuming you are talking about Outlook 2010). I wouldn’t worry about increasing the size of your AD database, as long as you don’t put huge images in there you’ll be fine.

  8. 
    Kevin Mierkiewicz January 9, 2013 at 19:53

    I have a 2010 Exchange RU3, 2003 DC environment. I have done all the steps listed and still cannot see the photo in Outlook. Strangely I can see photos on iphones, ipads, and Mac for outlook. Just not outlook 2010 on PC’s. One thing to note is I am running NLB for 2 Hub Transport servers. Does this work through NLB? Will upgrading to RU5 be the fix for me? Any help is greatly appreciated.

    • 

      I’m afraid I can’t help with that – AD Photo Edit just uploads the photo into Active Directory and if ipads etc can view it then my program must have done its job correctly as the photo must be in AD for the ipad to download it. If Outlook is not displaying the photo then all I can suggest is double checking you’ve done everything that the Exchange team mention in their blog here: http://blogs.technet.com/b/exchange/archive/2010/03/10/3409495.aspx
      and if its still not working I’d suggest asking on the Outlook forums and failing that put in a support call to Microsoft. Sorry I can’t be of more help.

    • 

      Kevin, we experienced exactly the same with no pictures appearing.
      Then, for something else entirely, we updated our AD schema to 2008 and they appeared overnight!
      HTH,
      Phil

  9. 

    I’m writing an application that uses the thumbnailPhoto attribute also, and was wondering if there is a way to check if the AD schema has been extended (or that the thumbnailPhoto attribute exists) prior to adding a photo?

    I tried using:
    result.Properties.Contains(“thumbnailPhoto”)
    but it only returns TRUE if the thumbnailPhoto attribute is set to a value. If it exists but is Null (the default) then I get FALSE which makes it hard to tell if the attribute actually exists.

    BTW, thanks for all the good info, I’ve found your site to be very helpful with regard to VB.NET and AD programming.

    • 

      Well you don’t need to check to see if it exists because it has existed in every version of AD that has ever been included in Windows :) If you do ever need to check for an attribute existing though you can use the FindProperty method: http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectory.activedirectoryschema.findproperty(v=vs.100).aspx
      I’ve not used it personally, but I use the FindAllProperties method in a couple of my programs where the user has to select an LDAP attribute, like so:
      Public Shared Function GetAllAttributeNamesFromSchema(DomainName As String, Username As String, Password As String) As List(Of String)
      Dim PropertyList As New List(Of String)
      Using SelectedDomain As Domain = Domain.GetDomain(DomainInfo.GetDomainContext(DomainName, Username, Password))
      Using DomainForest As Forest = Forest.GetForest(DomainInfo.GetForestContext(SelectedDomain.Forest.Name, Username, Password))
      Dim LdapProperties As ReadOnlyActiveDirectorySchemaPropertyCollection = DomainForest.Schema.FindAllProperties
      For Each LdapProperty As ActiveDirectorySchemaProperty In LdapProperties
      PropertyList.Add(LdapProperty.Name)
      Next
      End Using
      End Using
      Return PropertyList
      End Function

      • 

        Ok, I was under the impression that it required the Schema to be extended to 2008 R2. But maybe thats just a requirement for Exchange.

        Thanks for the info.

        • 

          Yeah that’s just an Outlook 2010 requirement. In fact the very first point on this blog post you’re commenting on says it was introduced in Windows 2000 :)
          The thumbnailPhoto attribute size limit is not 10 KB. It is 100 KB and it always has been since it was introduced in Windows 2000 Active Directory

  10. 

    Hi,

    I did not understand the point 3 mentioned early in your article.In my case if i have more than one domain and want to see thumbnail photo to be viewed for other domain users what shall I do?

    Also let me know whether thubnailphoto attribute will replicate to GCs by default or not?

    3. You don’t necessarily have to go and modify the thumbnailPhoto attribute in the AD schema to make it replicate to the Global Catalog like most articles seem to insist. This is only required if you have more than one domain in your environment.

  11. 

    Is there a way to apply an image to an AD group, for example, helpdesk or executive?

    • 

      Whilst the “thumbnailPhoto” attribute does exist on groups, Outlook 2010 doesn’t seem to support it fully. It shows the photo for distribution groups in some areas but not in other areas where you would normally see the photo for users/contacts. So I didn’t add the option for AD Photo Edit to be able to upload to groups because I think a lot of people would assume that means Outlook should show the photo and then when it doesn’t they would think my program had not worked correctly.

  12. 

    Hi, I am getting the below mentioned error while running Adphotoedit. Can you please suggest.

    error writing to file c program files x86 Cjwdev Ad Photo Edit Free Edition Adphotoedit exe Verify that you have access to that directory

    • 

      Do you work for Dell by any chance? The only time I’ve seen that error is when people from Dell try to use the program, as their IT team have blocked the program from running to prevent users from being able to edit their photos (which is a daft way of doing it because there are other ways of editing the photo in AD… a much better way would have been to just deny users permission to write to their “thumbnailPhoto” attribute in AD.

  13. 

    Brilliant! Works like a charm. Thanks so much for this Chris!

  14. 

    Here’s a quick way to clear the thumbnail photo from an AD account:

    http://www.jigsolving.com/ad/clear-thumbnailphoto-attribute

    • 

      Well AD Photo Edit lets you clear the thumbnail photo easily, but yeah that could be useful for people that used powershell to set the photo

  15. 

    my AD doesnt replicate the thumbnailPhotos, I am using Win2008R2 with and I am using an AD photo edit from cjwdev.

    Kindly assist.

Trackbacks and Pingbacks:

  1. Upload Photos to Active Directory | techfreak.ch - December 14, 2010

    [...] Uploading photos to Active Directory, into the thumbnailPhoto attribute, is a very nice way of storing pictures to be shown in Outlook 2010, Lync, and possibly other (newer) MS Programs. I found this tool really useful to do the upload job: http://cjwdev.wordpress.com/2010/11/03/the-thumbnailphoto-attribute-explained/ [...]

  2. Using Pictures from Active Directory | Oddvar Haaland Moe's Blog - February 23, 2011

    [...] to add pictures from their workstation. This is explained in detail here: http://cjwdev.wordpress.com/2010/11/03/the-thumbnailphoto-attribute-explained/      Okay so now we have added pictures to our user accounts. Next step is to automate the [...]

  3. Jorge 's Quest For Knowledge! : Pictures/Photos in Active Directory - June 14, 2011

    [...] AD replication. It is just yet another attribute with information that needs to be replicated  The thumbnailPhoto Active Directory Attribute Explained Explains how to leverage the "thumbnailPhoto" attribute and how to delegate permissions Pictures in [...]

  4. (2011-06-14) Pictures/Photos In Active Directory « Jorge's Quest For Knowledge! - August 7, 2011

    [...] The thumbnailPhoto Active Directory Attribute Explained [...]

  5. Using Pictures from Active Directory | MSitPros Blog - December 14, 2011

    [...] to add pictures from their workstation. This is explained in detail here: http://cjwdev.wordpress.com/2010/11/03/the-thumbnailphoto-attribute-explained/      Okay so now we have added pictures to our user accounts. Next step is to [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s