There seems to be a bit of confusion and general lack of good information on the web regarding the thumbnailPhoto Active Directory attribute that Outlook 2010 uses to show user/contact pictures. As I’m making a program that lets you upload images to this attribute (see this post) I have learnt a fair bit about it and thought I would just clear up a few things.
1. The thumbnailPhoto attribute size limit is not 10 KB. It is 100 KB and it always has been since it was introduced in Windows 2000 Active Directory. Note that the Powershell cmdlets that come with Exchange 2010 do not let you upload an image larger than 10 KB though (my AD Photo Edit application does not have this limitation).
2. You don’t need Exchange 2010 to make use of the Outlook 2010 user photos feature. You only need Outlook 2010 and a forest that has had its schema extended to the 2008 version or later. This does not mean you need to have any 2008 domain controllers or even any 2008 servers in your domain (but you will need a 2008 disc to run adprep from to extend the schema).
3. You don’t necessarily have to go and modify the thumbnailPhoto attribute in the AD schema to make it replicate to the Global Catalog like most articles seem to insist. This is only required if you have more than one domain in your environment.
4. It is possible for regular (non admin) users to update their own photo and also for a regular user to update other user’s photos (you might want your HR people to do this for example). I’ll explain how to make the latter possible in a minute but firstly lets look at how a user can update their own photo.
User Updating Their Own Photo
Users have permission to update their own thumbnailPhoto attribute, so if you installed my AD Photo Edit program on their PC they would be able to use it to update their own photo (and no one else’s because they would just get an access denied error if they tried). Of course for the average end user this may be a little over complicated because all they basically want to do is select an image file and click a button and have it automatically select their account and upload the image. So if enough people request it then I may make a special version of AD Photo Edit that is aimed specifically at end users and simply lets them select an image (and you would be able to limit the size of the image they could choose or have it automatically resize the image) and then it uploads it to their account. If you think this would be worth making, let me know – firstname.lastname@example.org
User Updating Other User’s Photos
You might decide that you don’t want the IT department to be responsible for uploading and updating everyone’s photos in AD so it might be necessary for a regular user (such as a member of HR) to update other user’s photos. This requires some minor permissions changes which are outlined below and then its just a case of getting the user who is going to be updating the photos to run a program that can upload images into the thumbnailPhoto attribute – yes I’m going to plug it one more time: my AD Photo Edit program is ideal for this :)
So what are the permissions changes that are required? Well, first of all I would suggest creating a new security group for this and then adding the relevant user(s) to this rather than granting an individual user these permissions, as this makes it easier to manage in the future. In this example we will assume you have a group named PhotoEditors and this contains all of the users that should be allowed to edit other user’s photos.
First of all lets see what happens when we log on as a user that is a member of our PhotoEditors group and try to update someone else’s picture. We get a “General access denied” error:
So now we need to go into Active Directory Users & Computers and find the OU that contains all of the users we want the PhotoEditors group members to be able to edit photos for (the permissions changes will affect subcontainers/subOUs as well by default). Once you have located the OU, make sure you have Advanced Features visible by going to the View menu and making sure Advanced Features is ticked:
Now with that enabled, right click on the OU you wanted to apply these permissions to and select Properties, then click the Security tab (this is not visible if you do not have Advanced Features enabled).
Click the Advanced button at the bottom of the window and then click the Add button in the new window that appears. Enter the name of your group that contains all of the users that should be allowed to edit photos for users in this OU, and then click OK.
In the new window that appears click the Properties tab and then change the Apply Onto drop down to “User objects” :
Now in that same window scroll all the way down the permissions list until you see “Write thumbnailPhoto” and put a check in the Allow box for this permission and then click OK.
Note that if you only want these permissions to apply to users in this OU and not in sub OUs then you can tick the box at the bottom of this window before clicking OK.
Click OK out of any other permissions editor windows that are still open and that’s it. Now if we go back and try updating another user’s photo as that same user account we used before (that is a member of our PhotoEditors group) we can see that we no longer get a permissions error:
and just to confirm the image was successfully updated, lets open Outlook and view an email from the user we just modified:
And there’s our lovely updated sunset photo!
So as you can see, it is really quite easy to allow regular non-admin users to modify photos for other users… so hopefully that gets some of you out of hours of boring photo uploading :P
I’ll put another post up when AD Photo Edit is finished and available for public download… should be early next week.
As always, would love to hear any feedback you have on either the program or anything else mentioned in this post :)