Software

How to manage employee photographs with Active Directory

John Joyner explains how to use the built-in features of Exchange 2010 with Outlook and Lync to add and manage employee photos in your organization.

If your organization is running Exchange 2010, Outlook 2010, and Lync 2010, you have the built-in features to integrate employee photographs with Active Directory and cause them to appear throughout Microsoft applications. Microsoft also makes available an add-on tool that extends similar function to users of Outlook 2007 and even Outlook 2003.

Matching names with faces is a something most of us can use some help with, especially when we only interact online with co-workers that live in distant cities. A user's photograph is among the most basic elements of a social networking profile. But also consider that use of online employee photographs in the workplace prompts questions about standard photo appearances and even appropriateness.

Exchange 2010 includes the photo in the GAL

Microsoft's Active Directory (AD) has an attribute ("thumbnailPhoto") to store a thumbnail portrait photograph of each user, and with the debut of the Exchange 2010 and Outlook 2010 combination, a pointer to the photograph in AD is included in the Exchange Global Address List (GAL), and the photo is displayed in Outlook automatically. You can optionally include employee photos in the offline GAL itself, or by default, the GAL contains pointers to the photos in AD, and user photos are downloaded on-demand one time per Outlook instance. In a previous article, I showed how the Lync 2010 client is photo-centric, and how Lync in a federated model extends visibility of your AD photo to contacts on the Internet.

Customers running Exchange 2010, but still running older email clients Outlook 2007 or Outlook 2003 can also see user photos in context with other Outlook collaboration events like meetings and emails, in one of two ways: (1) Also deploy Lync 2010 in your organization, because the Lync client integrates photo and presence information with all Outlook versions, or (2) Deploy the optional Outlook add-on, the Outlook Social Connector, which has a subset of the Outlook 2010 photo-integration features. Figure A shows the Notes page of a contact in Outlook 2007 that was automatically created by Lync in July 2011, and then synchronized by Lync again in November 2011 when new information appeared in AD.

Figure A

This contact record in Outlook 2007 was populated by Lync 2010, including the photo from AD.

Centralizing and standardizing the photo

The default option in Outlook 2010 is to show user photos (Outlook Options | Contacts | Online Status And Photographs | Show User Photographs When Available). With this option enabled, a large photo of a message sender will appear in the corner of the view pane. The default behavior of Lync is that users have the option to use a photo of their choice (uploaded from a URL they specify), as well as a corporate photo from AD, or no photo.

When you give users the opportunity to specify their own photo, by definition there is going to be a lot of diversity in the photos, from how large the subject's face is, to background colors, shadow and lighting, even what (and how much!) clothing the employee is wearing. In a federated Lync environment, in fact in any organization concerned about corporate identity, there can be a desire to standardize employee photos in a certain format.

Forcing Lync to use the AD Photo

Many companies take employee photos for security badges, and these are often all in a standard format that might be suitable for AD photos. Whether photos are displayed in Lync, and whether the user can supply their own photo or not, are controlled by a setting on the Lync server. To give users a choice of only their AD photo, or no photo, run this Lync PowerShell command:

Set-CsClientPolicy -Identity PhotosControl -DisplayPhoto PhotosFromADOnly
For example, after running this command, Figure B shows the two choices a Lync user has over the visibility of their photo:

Figure B

Lync "My Picture" options limited by policy to corporate photo or no photo.

How to import photos to AD

There is a minor schema change required to enable use of photos in AD. The change is to flip the thumbnailPhoto attribute to make it replicate to the Global Catalog. Exchange 2010 Service Pack 1 (SP1) automatically performs this schema change, so if you have deployed Exchange 2010 SP1, you do not need to make a schema change. Otherwise, you do need to follow these steps:

  1. If you haven't registered the Schema MMC snap-in on the server you want to make this change on, go ahead and do so using the following command: Regsvr32 schmmgmt.dll
  2. Open an MMC console (Start | Run | MMC) and add the Schema snap-in.
  3. In the Active Directory Schema snap-in, expand the Attributes node, and then locate the thumbnailPhoto attribute.
  4. In the Properties page, select Replicate this attribute to the Global Catalog, and click OK.

Then you are ready to import photos into AD. This is done with a Powershell command, for example:

Import-RecipientDataProperty -Identity "Dollie Madison" -Picture -FileData ([Byte[]]$(Get-Content -Path "C:\pictures\DollieMadison.jpg" -Encoding Byte -ReadCount 0))

The recommended thumbnail photo size is 96x96 pixels, and by default, the maximum size of photo that can be imported with the Import-RecipientDataProperty command is 10-KB. There are also options to force inclusion of the photo in the offline address book, see the ‘links for more information' below on how to make those and other advanced changes related to AD photos.

Links for more information

Here are two excellent links from a helpful Microsoft employee that will answer most any technical question on this subject:

About

John Joyner, MCSE, CMSP, MVP Cloud and Datacenter Management, is senior architect at ClearPointe, a cloud provider of systems management services. He is co-author of the "System Center Operations Manager: Unleashed" book series from Sams Publishing, ...

Editor's Picks