Active Directory can do so much more than authentication. In the past, we leveraged it as a self-service password reset tool and to inventory our domain computers. Recently, we used the thumbNailPhoto attribute to set user pictures in Outlook. Let’s take this a bit further. Let’s sync our Active Directory thumbnail with our Windows account photo.
Setting Windows Account Photos with Group Policy and PowerShell
Create a new GPO and edit it. Navigate to User Configuration/Policies/Windows Settings/Scripts/Logoff. Select show files. Create a new text document in the Logoff scripts folder and paste in the following script. Be sure to change the file extension from .txt to .ps1 afterwards.
[CmdletBinding(SupportsShouldProcess=$true)]Param() function Test-Null($InputObject) { return !([bool]$InputObject) } #get sid and photo for current user $user = ([ADSISearcher]"(&(objectCategory=User)(SAMAccountName=$env:username))").FindOne().Properties $user_photo = $user.thumbnailphoto $user_sid = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value Write-Verbose "Updating account picture for $($user.displayname)..." #continue if an image was returned If ((Test-Null $user_photo) -eq $false) { Write-Verbose "Success. Photo exists in Active Directory." #set up image sizes and base path $image_sizes = @(40, 96, 200, 240, 448) $image_mask = "Image{0}.jpg" $image_base = $env:public + "\AccountPictures" #set up registry $reg_base = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\{0}" $reg_key = [string]::format($reg_base, $user_sid) $reg_value_mask = "Image{0}" If ((Test-Path -Path $reg_key) -eq $false) { New-Item -Path $reg_key } #save images, set reg keys ForEach ($size in $image_sizes) { #create hidden directory, if it doesn't exist $dir = $image_base + "\" + $user_sid If ((Test-Path -Path $dir) -eq $false) { $(mkdir $dir).Attributes = "Hidden" } #save photo to disk, overwrite existing files $file_name = ([string]::format($image_mask, $size)) $path = $dir + "\" + $file_name Write-Verbose " saving: $file_name" $user_photo | Set-Content -Path $path -Encoding Byte -Force #save the path in registry, overwrite existing entries $name = [string]::format($reg_value_mask, $size) $value = New-ItemProperty -Path $reg_key -Name $name -Value $path -Force } Write-Verbose "Done." } else { Write-Error "No photo found in Active Directory for $env:username" }
This script will see if a user has a configured thumbnail photo, retrieve it, and set it as the current Windows account photo for the user that it runs under. Pretty cool right? Complete credit goes to Jourdan Templeton for creating this and letting me share it.
Technically, this script can run under logon. We set the script to run on logoff for two reasons though. First, it prevents any impact to user logons. Second, the picture only appears on the next fresh logon anyways. Head back to your GPO. Under Logoff script, select the PowerShell scripts tab and add in your PowerShell script.
Link your GPO to a test user that has a picture set. Log in, log out, and log back in. If you a creative way to leverage AD, let me know in the comments below!
Good afternoon, thank you for your collaboration, I am writing to you from Venezuela, I am telling you: the Scripts works perfectly in Windows 10, but I wanted to see if they can help me with anything, starting the session with the user the image of perfir loads without problem the detail is that it looks pixelated and does not have the sharpness, I wanted to know if you know if there is an option in the Scripts to make the image look sharper, thanks in advance I will be attentive to your comments …
wow, what’s with TJ attitude?? great patience shown there Joseph.
🙂
This does NOT work unless your users are full admins. It’s amazing how people don’t think of this stuff and just post this out to the world. In fact I couldn’t find any site out there that factors in users not being full admins.
None of my users are admins.
And this is still working on Windows 10 1803 for me. 🙂
You’re saying you can set that via GPO and it works on the latest build of Windows 10? Well then there must be something I’ve done wrong because I can’t get it to work to save my life. I keep checking folder permissions and they are exactly the same after the user logs in, or restarts, or does a gpupdate /force. Nothing causes the permissions to change. I’ve added registry keys via GPO, done the file permissions (which is oddly named for when you need to add permissions on a folder). Still, nothing works.
By chance, are you running constrained language mode on your clients?
Not that I’m aware of. Just a standard Windows 10/Windows Server build. If you look at the permissions of that folder it will show you the default permissions only allow admins to make changes.
From a standard user’s powershell session, run: $ExecutionContext.SessionState.LanguageMode
Compare the value returned to this chart: https://blogs.technet.microsoft.com/kfalde/2017/01/20/pslockdownpolicy-and-powershell-constrained-language-mode/
Wow. Another piece to add to the never-ending complexity of Windows. I swear next month I’m sure it will be there’s a FluxCapacitorOption needs to be turned on, and the month after that there will be a HydrolicResourceMonitor that has to be enabled, etc, etc. This stuff just never ends.
I don’t know how this would have gotten turned on, perhaps our anti-virus software? We never specifically set it via gpo. How do we turn it off or back to normal?
🙂 I understand – it probably got enabled when you installed PowerShell 5. I should probably rewrite this to not use dot sources.
Set the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
__PSLockdownPolicy
REG_SZ
0
Restart.
Thanks for script, but it works only if the user have local admin rights because he needs to create a new key with his SID under HKLM:\\Software…
If the user is not in local Administrators group, the script will fail on the following line:
If ((Test-Path -Path $reg_key) -eq $false) { New-Item -Path $reg_key }
Best regards
Has anyone fixed this yet? If you try to elevate the command it will fail also because it uses the user running the script to make the adjustments so it tries to change whatever account the script runs under.
Hello Joseph Moody,
I tried this policy but didn’t work . I had this error, how I can fix this error ? This powershell script only just windows 10 run ?
Thanks for your interest.
New-Item : The registry key at the specified path does not exist.
At C:\Users\administrator\Desktop\resim.ps1:24 char:58
+ If ((Test-Path -Path $reg_key) -eq $false) { New-Item <<<< -Path $reg_key }
+ CategoryInfo : InvalidArgument: (HKEY_LOCAL_MACH…ntPicture\Users:Strin
g) [New-Item], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.Ne
wItemCommand
New-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Acc
ountPicture\Users\S-1-5-21-709320973-3028178463-1146091674-500' because it does not exis
t.
At C:\Users\administrator\Desktop\resim.ps1:41 char:34
+ $value = New-ItemProperty <<<< -Path $reg_key -Name $name -Value $path -Force
+ CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\…-1146091674-500:String
) [New-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemPropert
yCommand
New-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Acc
ountPicture\Users\S-1-5-21-709320973-3028178463-1146091674-500' because it does not exis
t.
At C:\Users\administrator\Desktop\resim.ps1:41 char:34
+ $value = New-ItemProperty <<<< -Path $reg_key -Name $name -Value $path -Force
+ CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\…-1146091674-500:String
) [New-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemPropert
yCommand
New-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Acc
ountPicture\Users\S-1-5-21-709320973-3028178463-1146091674-500' because it does not exis
t.
At C:\Users\administrator\Desktop\resim.ps1:41 char:34
+ $value = New-ItemProperty <<<< -Path $reg_key -Name $name -Value $path -Force
+ CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\…-1146091674-500:String
) [New-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemPropert
yCommand
New-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Acc
ountPicture\Users\S-1-5-21-709320973-3028178463-1146091674-500' because it does not exis
t.
At C:\Users\administrator\Desktop\resim.ps1:41 char:34
+ $value = New-ItemProperty <<<< -Path $reg_key -Name $name -Value $path -Force
+ CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\…-1146091674-500:String
) [New-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemPropert
yCommand
New-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Acc
ountPicture\Users\S-1-5-21-709320973-3028178463-1146091674-500' because it does not exis
t.
At C:\Users\administrator\Desktop\resim.ps1:41 char:34
+ $value = New-ItemProperty <<<< -Path $reg_key -Name $name -Value $path -Force
+ CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\…-1146091674-500:String
) [New-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemPropert
yCommand
_____________________________________________________________________________________
Hello,
I had this problem, how I can fix this ?
‘HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\S-1-5-21-1419014510-2747843093-2350353519-8522’
because it does not exist.
At D:\LogonImage.ps1:76 char:18
+ … $value = New-ItemProperty -Path $reg_key -Name $name -Value $path …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\…2350353519-8522:String) [New-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemPropertyCommand
Thanks.
The script works great, except it distorts the image. Everyone looks like they have short, fat heads.
Have you considered the possibility that everyone does in fact have short, fat heads? 🙂
But seriously, what client OS are you using? I haven’t seen this problem on Windows 10 but would see it on Windows 8 with some pictures.
I just thought I’d add to this – I noticed a slight distortion with the account photo on Windows 10. Only on the lock screen though, it looked fine on the Start Menu and on the Control Panel User Account Settings. Fixed it by changing the script a little; I just fed it one size on line 16. I wasn’t sure what all the different sizes were for anyway haha so I’ve given it a 162×162 image (roughly what the images I’d been given already were and then cropped using your original script to import into AD) thats around 30kb and it’s working fine for my test users.
I don’t know why it made a difference just having the single size but the reason I tried it was due to manually changing the account photo to the original I had and not noticing any distortion!
Hope that all makes sense…. barely into my first tea of the day 🙂
Thanks for the update James! If I run into this again, I will give it a try.
Hi, Great script. Just tested and can be used as a logon script in windows 10. i.e. you don’t need to logout for the image to be displayed. Thanks
Awesome – thanks for the update Mark!
That will definitely come in handy! Thnx! Will try it out.
Let me know how it goes!
nice script, it works for me in windows 7/8x and windows 10, I have around 50 branches, it is not effective on branches.
Thanks for confirming that it works on Windows 7! I didn’t have easy access to that OS to confirm.
I’m getting this error for windows 7 machines. The registry key at the specified path does not exist.
Does HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\ exist on those machines?
Awesome script! That’s my Monday sorted!
I’m glad you enjoyed it Jeff! Let me know if you have any issues setting it up.
Mamatya says
June 10, 2016 at 3:56 am
Hello Joseph Moody,
I tried this policy but didn’t work . I had this error, how I can fix this error ? This powershell script only just windows 10 run ?
Thanks for your interest.
New-Item : The registry key at the specified path does not exist.
At C:\Users\administrator\Desktop\resim.ps1:24 char:58
+ If ((Test-Path -Path $reg_key) -eq $false) { New-Item <<<< -Path $reg_key }
+ CategoryInfo : InvalidArgument: (HKEY_LOCAL_MACH…ntPicture\Users:Strin
g) [New-Item], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.Ne
wItemCommand
New-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Acc
ountPicture\Users\S-1-5-21-709320973-3028178463-1146091674-500' because it does not exis
t.
At C:\Users\administrator\Desktop\resim.ps1:41 char:34
+ $value = New-ItemProperty <<<< -Path $reg_key -Name $name -Value $path -Force
+ CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\…-1146091674-500:String
) [New-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemPropert
yCommand
New-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Acc
ountPicture\Users\S-1-5-21-709320973-3028178463-1146091674-500' because it does not exis
t.
At C:\Users\administrator\Desktop\resim.ps1:41 char:34
+ $value = New-ItemProperty <<<< -Path $reg_key -Name $name -Value $path -Force
+ CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\…-1146091674-500:String
) [New-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemPropert
yCommand
New-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Acc
ountPicture\Users\S-1-5-21-709320973-3028178463-1146091674-500' because it does not exis
t.
At C:\Users\administrator\Desktop\resim.ps1:41 char:34
+ $value = New-ItemProperty <<<< -Path $reg_key -Name $name -Value $path -Force
+ CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\…-1146091674-500:String
) [New-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemPropert
yCommand
New-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Acc
ountPicture\Users\S-1-5-21-709320973-3028178463-1146091674-500' because it does not exis
t.
At C:\Users\administrator\Desktop\resim.ps1:41 char:34
+ $value = New-ItemProperty <<<< -Path $reg_key -Name $name -Value $path -Force
+ CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\…-1146091674-500:String
) [New-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemPropert
yCommand
New-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Acc
ountPicture\Users\S-1-5-21-709320973-3028178463-1146091674-500' because it does not exis
t.
At C:\Users\administrator\Desktop\resim.ps1:41 char:34
+ $value = New-ItemProperty <<<< -Path $reg_key -Name $name -Value $path -Force
+ CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\…-1146091674-500:String
) [New-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemPropert
yCommand