How to use Active Directory user photos in Windows 10

User photos stored in Active Directory can be used by applications like Outlook, Skype for Business (Lync) or SharePoint to display the picture of currently logged-in user in their interface. However, you can take even more advantage of Active Directory photos and use them as account pictures in Windows 10 (and other versions of Windows as well, starting from Windows 7). All you have to do is make sure that you already have user photos added in Active Directory (or add them yourself) and create a Group Policy object (GPO) that will execute a script to change users’ account pictures in your domain automatically. Optionally, you may also need to globally change some of the users’ privileges, but we’ll get back to that later. Some of these steps can easily be done using CodeTwo Active Directory Photos, which is completely free! As for the other steps, this article will guide you through them smoothly.

Take a good look at this default account picture, as you will probably see it for the last time:

How to use Active Directory user photos in Windows 10 - Default Windows 10 account picture

Follow these steps to use Active Directory user photos in Windows 10

Importing photos into Active Directory

There is a simple Set-ADUser cmdlet that can be used to import user photos to Active Directory. It saves an image file in the thumbnailPhoto Active Directory attribute. An example of the command that needs to be run in PowerShell looks as follows:

$ADphoto = [byte[]](Get-Content <path to file> -Encoding byte)
Set-ADUser <username> -Replace @{thumbnailPhoto=$ADphoto}

Just remember to provide an exact path to the image file and the user’s name (learn about other ways of identifying your Active Directory users in this MS TechNet article), for example:

$ADphoto = [byte[]](Get-Content C:\AD_Photos\ad-brian-johnson -Encoding byte)
Set-ADUser BrianJ -Replace @{thumbnailPhoto=$ADphoto}

Of course, this is a no-go when you want to import photos for a lot of users. A similar command can be used to import multiple pictures into Active Directory. But first, you need to prepare a CSV file with the list of users and their respective photos. Here’s an example content of such a file:

AD_user, path_to_file
AlexD , C:\AD_Photos\ad-alex-darrow.jpg
AnneW, C:\ AD_Photos\ad-anne-wallace.jpg
BrianJ, C:\ AD_Photos\ad-brian-johnson.png

Once the file is ready, use the following command:

Import-Csv C:\AD_Photos\photos.csv |%{Set-ADUser -Identity $_.AD_user -Replace @{thumbnailPhoto=([byte[]](Get-Content $_.path_to_file -Encoding byte))}}

Creating such a file can also be quite time-consuming. This is where CodeTwo Active Directory Photos comes into play. The program not only allows you to quickly connect to Active Directory and import (single or multiple) files, but it comes with the ability to match photos automatically with respective Active Directory users. Plus, you can do all that from an intuitive and user-friendly interface.

How to use Active Directory user photos in Windows 10 - Matching photos in CodeTwo Active Directory Photos

There is also one important aspect that hasn’t been mentioned yet – the photo stored in the thumbnailPhoto attribute cannot be bigger than 100 kB, and the recommended size is 96 x 96 pixels. Here you can also make use of CodeTwo Active Directory Photos, as it lets you adjust both the size of the file as well as its dimensions.

How to use Active Directory user photos in Windows 10 - Editing photos in CodeTwo Active Directory Photos

With this program, you will also instantly know which users don’t have photos added to Active Directory by merely looking at the user’s list.

How to use Active Directory user photos in Windows 10 - Viewing users in CodeTwo Active Directory Photos

Otherwise, you can, for example, open the Active Directory Users and Computers tool and check if the thumbnailPhoto attribute shows any value. If you see <not set>, it means there is no photo there.

How to use Active Directory user photos in Windows 10 - Checking thumbnailPhoto attribute in Active Directory Users and Computers

If you can’t find the Attribute Editor tab in the Properties window, make sure the Advanced Features options on the View menu is checked.

How to use Active Directory user photos in Windows 10 - Enabling Advanced Features in Active Directory Users and Computers

Creating a new GPO for your domain

Now, to propagate these Active Directory photos as Windows 10 account pictures, you can make use of Group Policy objects. Or more specifically – a Group Policy logoff scripts. They are used to perform automated tasks on each machine in a specified domain when a user logs off in Windows. That way, changes are introduced without any conflicts and even without any interaction on users’ part.

The script that we’re going to use was found on this site. You can adjust this code to your needs, or just copy it as it is and paste it into an empty text document. Save the file and change its extension from .txt to .ps1. Next, copy the file to a network location, e.g. %logonserver%\netlogon.

[CmdletBinding(SupportsShouldProcess=$true)]Param()
function Test-Null($InputObject) { return !([bool]$InputObject) }
$ADuser = ([ADSISearcher]"(&(objectCategory=User)(SAMAccountName=$env:username))").FindOne().Properties
$ADuser_photo = $ADuser.thumbnailphoto
$ADuser_sid = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value
If ((Test-Null $ADuser_photo) -eq $false) {
$img_sizes = @(32, 40, 48, 96, 192, 200, 240, 448)
$img_mask = "Image{0}.jpg"
$img_base = "C:\ProgramData\AccountPictures"
$reg_base = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\{0}"
$reg_key = [string]::format($reg_base, $ADuser_sid)
$reg_value_mask = "Image{0}"
If ((Test-Path -Path $reg_key) -eq $false) { New-Item -Path $reg_key }
Try {
ForEach ($size in $img_sizes) {
$dir = $img_base + "\" + $ADuser_sid
If ((Test-Path -Path $dir) -eq $false) { $(mkdir $dir).Attributes = "Hidden" }
$file_name = ([string]::format($img_mask, $size))
$path = $dir + "\" + $file_name
Write-Verbose " saving: $file_name"
$ADuser_photo | Set-Content -Path $path -Encoding Byte -Force
$name = [string]::format($reg_value_mask, $size)
$value = New-ItemProperty -Path $reg_key -Name $name -Value $path -Force
}
}
Catch {
Write-Error "Check permissions to files or registry."
}
}

What does this script do? Generally, it exports the photo stored in the thumbnailPhoto attribute and saves it on your machine, in a specified folder (in this case: C:\ProgramData\AccountPictures\{User SID}). You will notice that there will be eight JPG files stored in this folder, each of different size (from 32×32 px to 448×448 px), and name, specifying photo’s size (image32.jpg, image96.jpg, etc.). Additionally, new registry keys will be created under MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\{User SID} in the Windows registry, with paths to these photos.

To create a new GPO, open Group Policy Management console (if you can’t find it, follow these steps to install it), find your domain in the console tree, right-click it and select Create a GPO in this domain, and Link it here.

How to use Active Directory user photos in Windows 10 - Creating a new GPO

Provide any name you want and click OK. A new GPO will appear under Group Policy Objects.

How to use Active Directory user photos in Windows 10 - Newly created Group Policy Object

Adding a logoff script to GPO

Right-click this GPO and choose Edit. The Group Policy Management Editor window will open. Navigate to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff), and then double-click Logoff in the right pane.

How to use Active Directory user photos in Windows 10 - Adding a new Logoff script

In the properties window, go to the PowerShell Scripts tab. Click Add and paste the following script under the Script Name field:

%windir%\System32\WindowsPowerShell\v1.0\powershell.exe

Next, under Script Parameters, enter:

-Noninteractive -ExecutionPolicy Bypass -Noprofile -File %logonserver%\netlogon\<file_name>.ps1

Just remember to provide the correct path to your PS1 file. When done, just click OK two times.

And this should do the trick. The next time a user logs off from any machine in this domain and logs in again, the account picture should update automatically.

How to use Active Directory user photos in Windows 10 - Custom Windows 10 account picture

However, this will only work if users in your domain have local administrative privileges assigned. If not, there is one more thing you need to do. And it also involves GPO.

Adding registry key permissions in GPO

Remember the registry key mentioned before? The key MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users is where the information about the account picture is stored. Users cannot change their account pictures unless they are granted Full Control permission to that key. This can also be done via GPO. You can even use the same one you’ve created to run the logoff script.

Back in the Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings, right-click the Registry node and select Add Key.

How to use Active Directory user photos in Windows 10 - Configure a registry key using GPO

Navigate to MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users (or just copy this key and paste it under the Selected key field) and click OK.

How to use Active Directory user photos in Windows 10 - Selecting specific registry key

Select Users under Group or user names and tick the Allow checkbox next to Full Control.

How to use Active Directory user photos in Windows 10 - Granting Full Control permissions to a registry key

Once you click OK, another window will open. Select the Replace existing permissions on all subkeys with inheritable permissions option, and click OK.

How to use Active Directory user photos in Windows 10 - Configuring additional permission options

And that’s it. But there is one more thing CodeTwo Active Directory Photos can do for you. Once you have deployed the logoff script, it will be executed every time a user logs off (until you delete this GPO). Thanks to that, you can use this free tool to quickly change user photos in the Active Directory, and the account pictures will also change automatically.

How to use Active Directory user photos in Windows 10 - Changing user photos in CodeTwo Active Directory Photos

You can use this feature to, for example, change user photos for the upcoming holiday season or any important events affecting your company.

To sum up, using Active Directory user photos to personalize profile pictures in Windows 10 is quite an easy task that won’t take long to complete. Plus, as mentioned at the beginning of this article, these photos will also be used in programs like Skype or Outlook. Use this opportunity to personalize your email signatures as well!

Further reading

How to add, edit, manage or remove Active Directory photographs

How to manage users’ photos in Microsoft Lync, Outlook and Exchange Server

8 thoughts on “How to use Active Directory user photos in Windows 10


  1. I wanted to let those know that it seems something has changed in the formulation to the PS commands. Not sure how Microsoft broke the previous command, since it was in place and working for months, but I have found that this command string has resolved the Access Is Denied issues I was seeing:

    %windir%\System32\WindowsPowerShell\v1.0\powershell.exe -Noninteractive -ExecutionPolicy Bypass -Noprofile -windowstyle hidden -command “&{. \\%logonserver%\netlogon\ADPhoto\Set-ADPicture.ps1}”

  2. Hi,
    I’ve got a Windows 10 Client and a 2016 DC.
    The powershell script is located in %logonserver%\netlogon
    If I call it by hand, it works fine.
    Afterwards in the registry I delete the subkey under “Users” and the folder “accountpictures” from c:\programdata.
    All other GPOs are running fine.
    In the eventviewer I only get a event ID 1130 Grouppolicy.
    I also tried the other two policy settings you discribed:
    ” User Config->Policies->Admin Templates->System->Scripts and enable the Display instructions in logoff scripts as they run option and disable the Run Windows PowerShell scripts first at user logon, logoff”
    Do you have any more hints?
    Thanks in advance!

  3. Hello, I have followed the instructions and the profile picture shows up in the settings and the Start Menu but not during login. I am on Windows 10 1803. I would also like to state that the 8 pictures that the script made are all the same original size just different names.

  4. Good Morning Adam,

    Hope you’re still monitoring this. Anyway, I thought I’ve done a good job of following your directions but I cannot get the script to execute at logoff. If I logon to a machine and run the script from its location on the DC it works as expected. However, launching as part of the logoff process fails. I’ve turned on Notifications in the GPO so when I logoff I see the Powershell window come up, the dreaded red error code and the machine immediately completes the logoff process. I tried putting a Pause at the end of the script but I suppose the logoff process is too far in to stop. If I look in the Event Log after I see the very generic Logoff Script failed to execute. If you can think of anything else I could try I would appreciate it.

    Thanks!

    • Hello Don,
      Sometimes there is a problem with logoff scripts in Windows 10. One of the way to fix it is to go to their settings: User Config->Policies->Admin Templates->System->Scripts and enable the Display instructions in logoff scripts as they run option and disable the Run Windows PowerShell scripts first at user logon, logoff. If it still does not work, it would be very helpful to know what does the red error code of the failed script say.

  5. Hi, i’ve created the GPO following everything named here (i’ve even used the same name for the script and things like that) in order to test it before implementing in my production infrastructure. The problem here is: My AD got the GPO running and working fine. However, none of the testing stations (using win10 pro) got the GPO running, even trying using gpupdate. Can u give any tips?

  6. Hi, I have created the GPO policy to modify the permissions in registry values, but the policy doesn’t apply because (is written) there privileges are not enough. There is a solution about this issue? I use windows 10 clients and windows 2016 as a server, with the last security fix. Thank you!

    • Hello Christian,
      please tell me, which GPO settings weren’t applied – the one that should change users’ permissions in registry or the one with the script? I set up the same environment (Windows Server 2016 + Win 10, with all the recent updates installed) just to be sure everything works. And it does, at least for me. Please verify those two things:
      1) check, if the permissions were changed for all users. Open the Registry Editor and navigate to the key in question (MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users), right-click Users, and select Permissions. Check, if “Users (YourDomain\Users)” is shown in the upper pane, and when you click it – if the “Full Control” box is checked.
      2) check, if the script itself works. Simply navigate to the folder specified in the script (by default it was C:\ProgramData\AccountPictures) and see, if there are any folders there (GUIDs with image files inside).

      Also make sure that you’ve linked GPO to the correct Domain in the Group Policy Management console and that the script file is placed in the specified network location.

      Please let me know, if the problem still persists, or if these tips helped you. One thing I’ve noticed this time is that the changes didn’t work the first time I signed out using a non-admin account, but after the second logoff. Changes to registry took even longer time. Give Windows some time to propagate any necessary changes.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

*