Active Directory can do so much more than authentication. In the past, we leveraged it as a self-service password reset tool and to inventory our domain computers. Recently, we used the thumbNailPhoto attribute to set user pictures in Outlook. Let’s take this a bit further. Let’s sync our Active Directory thumbnail with our Windows account photo.
Setting Windows Account Photos with Group Policy and PowerShell
Create a new GPO and edit it. Navigate to User Configuration/Policies/Windows Settings/Scripts/Logoff. Select show files. Create a new text document in the Logoff scripts folder and paste in the following script. Be sure to change the file extension from .txt to .ps1 afterwards.
[CmdletBinding(SupportsShouldProcess=$true)]Param() function Test-Null($InputObject) { return !([bool]$InputObject) } #get sid and photo for current user $user = ([ADSISearcher]"(&(objectCategory=User)(SAMAccountName=$env:username))").FindOne().Properties $user_photo = $user.thumbnailphoto $user_sid = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value Write-Verbose "Updating account picture for $($user.displayname)..." #continue if an image was returned If ((Test-Null $user_photo) -eq $false) { Write-Verbose "Success. Photo exists in Active Directory." #set up image sizes and base path $image_sizes = @(40, 96, 200, 240, 448) $image_mask = "Image{0}.jpg" $image_base = $env:public + "\AccountPictures" #set up registry $reg_base = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\{0}" $reg_key = [string]::format($reg_base, $user_sid) $reg_value_mask = "Image{0}" If ((Test-Path -Path $reg_key) -eq $false) { New-Item -Path $reg_key } #save images, set reg keys ForEach ($size in $image_sizes) { #create hidden directory, if it doesn't exist $dir = $image_base + "\" + $user_sid If ((Test-Path -Path $dir) -eq $false) { $(mkdir $dir).Attributes = "Hidden" } #save photo to disk, overwrite existing files $file_name = ([string]::format($image_mask, $size)) $path = $dir + "\" + $file_name Write-Verbose " saving: $file_name" $user_photo | Set-Content -Path $path -Encoding Byte -Force #save the path in registry, overwrite existing entries $name = [string]::format($reg_value_mask, $size) $value = New-ItemProperty -Path $reg_key -Name $name -Value $path -Force } Write-Verbose "Done." } else { Write-Error "No photo found in Active Directory for $env:username" }
This script will see if a user has a configured thumbnail photo, retrieve it, and set it as the current Windows account photo for the user that it runs under. Pretty cool right? Complete credit goes to Jourdan Templeton for creating this and letting me share it.
Technically, this script can run under logon. We set the script to run on logoff for two reasons though. First, it prevents any impact to user logons. Second, the picture only appears on the next fresh logon anyways. Head back to your GPO. Under Logoff script, select the PowerShell scripts tab and add in your PowerShell script.
Link your GPO to a test user that has a picture set. Log in, log out, and log back in. If you a creative way to leverage AD, let me know in the comments below!