Uploading photos to the Active Directory has proven to be one of our most popular features.
Microsoft's Active Directory includes two attributes for storing binary photo files as attributes of a user. These are the thumbnailPhoto and jpegPhoto attributes. These attributes have been, by-and-large, unused by Microsoft until recently. Microsoft has released both Outlook 2010 / 2013 and the Lync client that read this photo and display it in the client. The ability to show a user's photo from the Global Address List (GAL) as well as at the bottom of a messages has been a big hit for Outlook 2010 / 2013.
While this feature has certainly got a lot of people interested, it has generated a lot of questions as well. Both Directory Update and Directory Manager allow you to upload images of a predefined pixel size in to the thumbnailPhoto attribute. Directory Search allows you to view those images, but the ability to view user's photos via Outlook 2010 / 2013 or the Lync client makes this a whole new ball game. We hope this article we answer some of those questions and help you to decide if adding photos is right for you.
The DirectorySettings.XML file in both Directory Update and Directory manager includes a photo tag. This allows you to enable photo support by setting the editable option to editable="yes". The default width and height (in pixels) is also set in this tag. We recommend you keep the defaults.
<photo label="Add/Change Photo" type="file" visible="yes" editable="yes" attribute="thumbnailPhoto" width="128" height="128" quality="80" defaultValue="Images/noPhoto.gif" />
When the user selects to upload a photo, the Directory Update or Directory Manager software uploads the photo and re-renders the photo to the specified size. If the original photo is rectangular in dimension, then the resulting photo will look squashed or stretched. We recommend the original photo's aspect ratio be square for the best results. It can be larger than 128x128, but our software will re-render it to be smaller.
When the photo is re-rendered, it is then temporarily uploaded to the IIS server's c:\inetpub\wwwroot\directoryupdate\photos or c:\inetpub\wwwroot\directorymanager\photos folder. This is just a temporary storage location until the user saves all of their changes and the photo is further uploaded to the Active Directory. When the changes are saved, the temporary photo file should be discarded. Note that we will NOT re-render or compress the photo if the source photo is exactly the size specified in the DirectorySettings.XML file, such as 128x128.
We are frequently asked what happens if users upload a 2MB image in to the Active Directory. Well, first of all, the maximum attribute size for thumbnailPhoto is 100KB (102,400 bytes), so Active Directory won't even allow you to upload a file that is over 100KB in size.
Second, Microsoft recommends an image size of 96x96. We recommend an image size of 128x128; we feel that a slightly larger image provides better size and resolution for other applications that may use the photo in this attribute in the future. A typical photo at 128x128 is around 5KB to 7KB in size. An Active Directory database (the NTDS.DIT file) with 10,000 users will only increase by about 7MB if you add 10,000 photos to it.
During the upload process, our software re-renders and possiby compresses the photo.
Typical photos, once uploaded, consume about 5KB - 7KB of space in the Active Directory. We chose a compression ratio that allowed for good photo quality while still not consuming too much disk space per photo.
In Directory Update v2.6 and Directory Manager v2.3; we added a new option to the photo tag. The quality="80" option allows you to increase or lower the photo quality based on your own requirements. the default value is 80. The possible range is 0 to 100. 0 is the lowest quality photo (usually about 1KB - 2KB in size and quite grainy). 100 is the highest quality photo and produces better photo quaility at a cost of larger file sizes. A typical 128x128 photo using a photo quality of 100 will be about 14KB in size.
If you upload photos to your Active Directory, they will synchornize to the Office 365 Global Address List provided you are performing regular Directory Syncs (DirSync) between your Active Directory and Office 365.
First and foremost, your Active Directory must have been prepped to support the Exchange 2010 schema. Even if you are not ready to install Exchagne 2010, we recommend you prep your Active Directory schema to support Exchange 2010 SP1 or SP2. The E2K10 SP2/SP3 schema,by the way, has some cool new features including lots of new extension attributes (aka custom attributes). Exchange 2013 and 2016's schema prep utilities automatically makes all necessary schema changes.
Even after your schema is prepped to support E2K10, you must also flag the thumbnailPhoto attribute so that it is replicated to the Global Catalog domain controllers. Otherwise, Outlook will never see the photos. Microsoft did change this in E2K10 SP2. (To do this, you must logon as a user account that is a member of your forest's Schema Admins group. And, you must enable the Active Directory Schema management console as it is not enabled by default. Follow these steps:
For more information on adding an additional attribute to the Global Catalog, see the KB article: How to Modify Attributes That Replicate to the Global Catalog
As mentioned earlier in this TechNote, when the user selects a photo from Direcotry Update or Directory Manager, we temporarily upload it to the IIS server's c:\inetpub\wwwroot\directoryupdate\photos or c:\inetpub\wwwroot\directorymanager\photos folder. The IIS server MUST have permissions to save files to this folder and delete them when it is through. Our software must run in an IIS Application Pool uses a user idenity that has rights to this folder. This is typically the "Network Service" or "NetworkService" system identity. You must ensure that the Network Service user has "Modify", "Read & Execute", "List Folder Contents", "Read", and "Write" NTFS permissions to that folder.
NOTE: Newer versions of our software installers automatically create the IIS Application Pool, create the necessary folders, and assign the "NetworkService" user the correct permissions. We are leaving this in the TechNote for informational purposes.