Using Active Directory User Photo as Account Logon Image on Windows Ranjan.info

Most Microsoft Office apps (Outlook, SharePoint, Office365, Skype for Business, etc.) allow the use of an Active Directory (Azure AD) photo of a currently signed-in user as the user’s avatar in their interface. In this article, we’ll show you how to use an Active Directory user’s picture as the account logon image (avatar) for the Windows user profile that appears in the Lock screen, Welcome screen, Start menu, and more.

For this task, we will use a short PowerShell logon script. The script should run when the user logs on to Windows, get the user’s picture from Active Directory (the thumbnailphoto attribute), and set it as the profile picture of the Windows user profile.

windows account picture from ad thumbnail photo

How to add photos for Active Directory users?

User’s picture is a special feature (thumbnailPhoto) of the account in Active Directory. You can set images for your users using third-party tools or the Set-ADUser cmdlet from the Active Directory Module for Windows PowerShell.

  1. Save the user’s photo to disk in JPEG/BMP format (the maximum avatar image file size should not exceed 100 KB and the image resolution should be up to 96 × 96 pixels);
  2. To set an AD account image for a user jchanRun command:
    $photo = [byte[]](Get-Content C:\PS\jchan_photo.jpg -Encoding byte)
    Set-ADUser jchan -Replace @{thumbnailPhoto=$photo}
  3. Open the Active Directory Users and Computers Console (ADUC), switch to the Attribute Editor tab, and check whether the thumbnailphoto attribute now has a value.Set thumbnail photo attribute for Active Directory user account

Create GPO to set Account Profile Picture on Windows

Now you need to configure a Domain Group Policy that will configure the environment options to use Active Directory user photos as account logon images on Windows computers.

    1. Open the Group Policy Management Console (gpmc.msc, Create a new GPO and link it to the OU (Organizational Unit) that contains the user’s computers;
    2. In Windows, you can set a user’s avatar image (the path to the JPG file used for the user’s profile) via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users registry key. You must allow users to change their profile photo directly through the registry;
    3. You can deploy registry key permissions in an AD domain by using GPOs. Navigate to the GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Registry, Create a new registry key (add key) along the path MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users;AccountPicture registry key via GPO
    4. give full control Permissions for the Domain Users group ([DomainName]\Users) on the Database Security screen;
    5. In the next window, select the option replace existing permissions on all subkeys with inheritable permissionsOtherwise, users will not have privileges to the nested registry subkeys;Setting Registry Permissions via GPO
    6. Enable GPO option Configure User Group Policy Loopback Processing Mode , Sickness (Computer Configuration -> Administrative Templates -> System -> Group Policy). This will allow you to apply the policy to the OU containing the computer accounts.GPO - Enable Loopback Processing Mode

Set User Account Profile Photo with PowerShell on Windows

Next, you need to create a PowerShell script that will get the current user’s photo from Active Directory, save it to a JPG file, and set it as the user’s profile image.

There are two ways to get user’s photo from AD. You can use the Get-ADUser cmdlet from the ActiveDirectory module (this module must be installed on all computers via RSAT, or you can copy the required RSAT-AD-PowerShell module files without installing RSAT). In order for the script to be universal and work correctly without installing RSAT (including Windows 7), we will connect to AD using the ADSISearcher class.

SetADPicture.ps1 script code:

Function ResizeImage {
Param (
[Parameter(Mandatory = $True, HelpMessage = "image in byte")][ValidateNotNull()]$imageSource,
[Parameter(Mandatory = $true, HelpMessage = "Betwwen 16 and 1000")][ValidateRange(16, 1000)]$canvasSize,
[Parameter(Mandatory = $true, HelpMessage = "Between 1 and 100")][ValidateRange(1, 100)]$ImgQuality = 100
)
[void][System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
$imageBytes = [byte[]]$imageSource
$ms = New-Object IO.MemoryStream($imageBytes, 0, $imageBytes.Length)
$ms.Write($imageBytes, 0, $imageBytes.Length);
$bmp = [System.Drawing.Image]::FromStream($ms, $true)
# Image size after conversion
$canvasWidth = $canvasSize
$canvasHeight = $canvasSize
# Set picture quality
$myEncoder = [System.Drawing.Imaging.Encoder]::Quality
$encoderParams = New-Object System.Drawing.Imaging.EncoderParameters(1)
$encoderParams.Param[0] = New-Object System.Drawing.Imaging.EncoderParameter($myEncoder, $ImgQuality)
# Get image type
$myImageCodecInfo = [System.Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() | Where-Object { $_.MimeType -eq 'image/jpeg' }
# Get aspect ration
$ratioX = $canvasWidth / $bmp.Width;
$ratioY = $canvasHeight / $bmp.Height;
$ratio = $ratioY
if ($ratioX -le $ratioY) {
$ratio = $ratioX
}
# Create an empty picture
$newWidth = [int] ($bmp.Width * $ratio)
$newHeight = [int] ($bmp.Height * $ratio)
$bmpResized = New-Object System.Drawing.Bitmap($newWidth, $newHeight)
$graph = [System.Drawing.Graphics]::FromImage($bmpResized)
$graph.Clear([System.Drawing.Color]::White)
$graph.DrawImage($bmp, 0, 0 , $newWidth, $newHeight)
# Create an empty stream
$ms = New-Object IO.MemoryStream
$bmpResized.Save($ms, $myImageCodecInfo, $($encoderParams))
# cleanup
$bmpResized.Dispose()
$bmp.Dispose()
return $ms.ToArray()
}
$ADUserInfo = ([ADSISearcher]"(&(objectCategory=User)(SAMAccountName=$env:username))").FindOne().Properties
$ADUserInfo_sid = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value
If ($ADUserInfo.thumbnailphoto) {
$img_sizes = @(32, 40, 48, 96, 192, 200, 240, 448)
$img_base = "C:\Users\Public\AccountPictures"
$reg_key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\$ADUserInfo_sid"
If ((Test-Path -Path $reg_key) -eq $false) { New-Item -Path $reg_key } { write-verbose "Reg key exist [$reg_key]" }
Try {
ForEach ($size in $img_sizes) {
$dir = $img_base + "\" + $ADUserInfo_sid
If ((Test-Path -Path $dir) -eq $false) { $(New-Item -ItemType directory -Path $dir).Attributes = "Hidden" }
$file_name = "Image$($size).jpg"
$path = $dir + "\" + $file_name
Write-Verbose " Crete file: [$file_name]"
try {
ResizeImage -imageSource $($ADUserInfo.thumbnailphoto) -canvasSize $size -ImgQuality 100 | Set-Content -Path $path -Encoding Byte -Force -ErrorAction Stop
Write-Verbose " File saved: [$file_name]"
}
catch {
If (Test-Path -Path $path) {
Write-Warning "File exist [$path]"
}
else {
Write-Warning "File not exist [$path]"
}
}
$name = "Image$size"
try {
$null = New-ItemProperty -Path $reg_key -Name $name -Value $path -Force -ErrorAction Stop
}
catch {
Write-Warning "Reg key edit error [$reg_key] [$name]"
}
}
}
Catch {
Write-Error "Check permissions to files or registry."
}
}

The script gets the value of the thumbnailphoto attribute of the current user from Active Directory and saves it to a local folder C:\Users\Public\AccountPictures\{User SID}, The folder will contain jpg files with different resolutions for different Windows interface elements: Image32.jpg (32×32), Image40.jpg (40×40), etc.

program data account pictures

To associate these photo files with a user profile, the script will create a mapping under the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\{User_SID} .

account picture

Copy the PowerShell script code and save it in a new PS1 file in the NetLogon folder on a domain controller ( \\woshub.com\NETLOGON\SetADPicture.ps1 ,

You need to run this PowerShell script when the user logs in to Windows. The easiest way to implement this is to use the GPO Logon Scripts feature.

  1. To do this, open the GPO created earlier and navigate to User Configuration -> Policies -> Windows Settings -> Scripts (Logon/Logoff),
  2. choose log on, go to powershell scripts tab and click Join,
  3. Specify the full UNC path for the SetADPicture.ps1 script file in NETLOGON.

run powershell logon script via GPO

You will need to log out and log back in (twice) for the new GPO setting to apply and to set your Active Directory photo to your Windows user profile.

Check whether the user’s picture from AD is now displayed in the Windows login screen, Start menu, and other interface elements. For example, see your user image on the Account tab in the Settings panel (shortcut URI command ms-settings:accounts,

If the policy doesn’t work:

  1. If Windows is not activated, it will not display the user’s avatar (check Windows activation status on user computers);
  2. Check the resulting GPO settings and ensure that the policy Enforce default logon picture for all users (Computer Settings-> Policies-> Administrative Templates-> Control Panel-> User Accounts) is not enabled;GPO Option: Enforce default logon picture for all users
  3. Troubleshoot Group Policy on target computers with the gpresult tool.
You can use this PowerShell script to configure Active Directory user photos as account logon images for all supported operating systems: Windows 11, 10, 8.1, and Windows Server 2022, 2019, 2016, 2012 R2 ( including scenarios with standalone RDS hosts and Remote Desktop service farms).

Leave a Comment