How to Use AD Photo as User Profile Picture in Windows 10?

Outlook, SharePoint, Skype for Business, Workplace365 and different Microsoft apps permit you to use an Active Directory (Azure AD) picture of the present logged-in consumer as consumer avatars in their interface. In this text, we are going to present you ways to use the Group Policy and PowerShell script to set the consumer picture from Active Directory as a consumer profile image (avatar) in Windows 10 ( Windows profile image is displayed on the Lock Screen, , in the Start Menu, and many others).

Our script will work as follows: when a consumer logs on to the Windows 10, a PowerShell script should be run that will get the consumer’s picture from the thumbnailPhoto consumer attribute in Active Directory, saves the picture file to an area drive and units this file as the consumer account image in present profile. The answer ought to work on all supported shoppers: Windows 10, eight.1, 7 and on RDS hosts working Windows Server 2016/2012 R2.

How to Set Photo for an Active Directory User?

First of all, set images for AD customers by importing picture recordsdata to a particular consumer’s attribute thumbnailPhoto. You can set consumer images through the use of third-party instruments, or utilizing the ActiveDirectory module for Windows PowerShell. Please notice that the utmost avatar picture file measurement should not exceed 100 Kb with the picture decision up to 96 × 96 pixels. You can set the AD account picture for a consumer jchan as follows:

$picture = [byte[]](Get-Content C:PSjchan_photo.jpg -Encoding byte)
Set-ADUser jchan -Replace @

Providing Permissions to Users to Change Profile Picture in Windows

In Windows 10 you possibly can set the consumer account profile image via the registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionAccountPictureUsers. However, non-admin customers don’t have the required permissions to add values to this registry key. To permit customers with out administrator privileges to change the profile image, you should grant them write permissions to this registry key.

It is simpler to deploy the registry key permissions in AD area utilizing GPO:

  1. To do that, run the Group Policy Management console (gpmc.msc), create a brand new coverage and hyperlink it to the OU with customers’ computer systems;
  2. Then in the GPO editor go to the next part Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Registry and (Add key) with the trail MACHINESOFTWAREMicrosoftWindowsCurrentVersionAccountPictureUsers;
  3. Then, in the Security tab, test the Full Control permissions for all area customers ( [DomainName]Users) and click on OK;
  4. In the subsequent window, choose the choice Replace present permission on all sub keys with inheritable permissions, in any other case customers gained’t have any privileges for the nested registry subkeys.

PowerShell Script to Get the AD User’s Photo and Set the User Profile Picture in Windows 10

Then we want to run a PowerShell script that ought to get a photograph of the present consumer from Active Directory, put it aside in a jpg file and set it as a Windows consumer profile image. There are two methods to get consumer picture from AD. You can use the cmdlet from the ActiveDirectory module (this module should be put in on all computer systems by way of , or you possibly can simply copy the required RSAT-AD-PowerShell module recordsdata with out putting in RSAT). Since the script has to be common and work in Windows 7 as properly, we gained’t use the RSAT-AD-PowerShell module, however we are going to entry AD via the ADSISearcher C# class.

An instance of the SetADPicture.ps1 script to get a consumer’s picture from AD and set it as an Windows account avatar image is given beneath:

perform Test-Null($InputObject)
$ADuser = ([ADSISearcher]"(&(objectCategory=User)(SAMAccountName=$env:username))").FindOne().Properties
$ADuser_photo = $ADuser.thumbnailphoto
$ADuser_sid = [System.Security.Principal.WindowsIdentity]::GetPresent().User.Value
If ((Test-Null $ADuser_photo) -eq $false)

The script will get the worth of thumbnailphoto attribute of the present AD consumer and saves it to the native folder C:UsersPublicAccountPictures. The folder will comprise recordsdata with image file with totally different resolutions (from 32×32 to 448×448 pixels) for various Windows 10 interface parts: picture32.jpg, picture40.jpg, and many others..

The binding of images to the consumer profile is carried out by way of the parameter in the registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionAccountPictureUsers.

Running PowerShell Script to Bind Photos to a Profile Using GPO

Now we would like to run the SetADPicture.ps1 script when a consumer logon to Windows. It is simpler to do it utilizing a .

To do it, in the beforehand created coverage in the part User Configuration -> Policies -> Windows Settings -> Scripts (Logon/Logoff) create a brand new PowerShell logon script:

  • The script identify: %windir%System32WindowsPowerShellv1.0powershell.exe
  • The script parameters: -Noninteractive -ExecutionPolicy Bypass -Noprofile -File %logonserverpercentnetlogonscriptSetADPicture.ps1

Important. The SetADPicture.ps1 script should be beforehand copied to the netlogonscript folder on the area controller.

In the coverage settings, allow the GPO loopback processing mode (Computer Configuration -> Administrative Templates -> System -> Group Policy -> Configure consumer Group Policy Loopback Processing mode = Merge). In this mode, you possibly can apply the coverage to OU with consumer accounts.

You simply have to hyperlink the coverage to the particular OUs, sign off and login to the Windows once more.

An avatar shall be assigned to the Windows 10 consumer profile, and it is going to be appropriately displayed as an account image in the Start menu, on the Welcome Screen and different locations after the subsequent logon. This profile picture task information has been examined on Windows 10 LTSC (1809).

Check Also

CHKDSK: How to Check and Repair Hard Drive Errors in Windows 10?

CHKDSK.exe (test disk) is a classical built-in Windows software for checking exhausting drives for errors. …

Leave a Reply

Your email address will not be published. Required fields are marked *