My SharePoint World! - Nishant Shah

How-Tos, Thoughts and Experiences with Microsoft SharePoint !

How to sync picture from SharePoint to Active Directory and hence to Outlook and Lync

How to sync picture from SharePoint to Active Directory and hence to Outlook and Lync

  • Comments 31
  • Likes

Lets talk about how we can get a picture in user's My Site to be synchronized with Active Directory (AD) and hence other applications like Outlook or Lync (formally office communicator) can utilize it.

So lets get started with assuming -

  1. "User Profile Synchronization Service" is in "Started" state on appropriate SharePoint server
  2. "Replicate Directory Changes" permission on a domain is present for synchronization account http://technet.microsoft.com/en-us/library/hh296982.aspx#RDCdomain
  3. If you will export property values from SharePoint Server to AD DS, the synchronization account must have Create Child Objects (this object and all descendants) and Write All Properties (this object and all descendants) permissions on the organizational unit (OU) that you are synchronizing with. Ref: http://technet.microsoft.com/en-us/library/ff182925.aspx#permission
  4. You have a functional SharePoint 2010 / SharePoint 2013 environment which is configured to do Profile Synchronization. For more details on this please refer to http://technet.microsoft.com/en-us/library/ff382639.aspx
  • Currently this is how the picture space in Outlook and Lync shows up for our example user Amy Alberts.

 

  

  • Browse to Central Admin > Manage User Properties > Edit the Picture Property

 

 

  • Under Add New Mapping, Choose the Source Data Connection as your AD import connection, attribute as "thumbnailPhoto" and Direction as "Export" and click Add

 

  • By doing this you'd see Property Mapping for Synchronization as below, Click OK now to save this property mapping

 

  • Now in Manage User Properties, Picture attribute would show up as below

 

  

  • Browse to a user's My Site whose picture needs to be updated, click on My Profile > Edit My Profile > Choose Picture > Save and Close

 

  • Browse again to User Profile Service Application > Start Profile Synchronization > Start Incremental Synchronization
  • There are couple of ways you can verify the picture export
    • From SharePoint side
      • Open MIISCLIENT.EXE from C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell
      • Look at the latest DS_EXPORT phase and click on "Updates" in Export Statistics, this would open the Object Details window
      • Choose the user for whom the picture was updated and click on Properties
      • You should see a change of type "add" for attribute name "thumbnailPhoto" as below

 

 

      • This indicates SharePoint was successfully able to export the photo
    • From Active Directory side
      • Open the tool ADSIEdit.msc
      • Connect to the correct domain
      • Navigate thru the hierarchy and find the user for whom the picture was updated and open properties  of the user so that it would display the attribute editor
      • By default he value of attribute "thumbnailPhoto" would be <not set> however after the profile synchronization is completed, you would see a binary value in there as visible in screenshot below

 

  • Important:
    • Its not supported/recommended to run any operations or make any changes directly using MIISCLIENT.exe. Please rely on SharePoint UI/OM for all your Profile Sync operations.
    • ADSIEdit.msc is a very powerful tool and can mess around the Active Directory configuration if not carefully used. If you do any changes using this tool, its irreversible so please be careful. In my example, we are using this tool as READ-ONLY just to confirm the changes made.

 

  • After giving a few hours and once the AD replication is complete and once Exchange and Lync have picked up these changes (I didn’t need to do any manual changes on my Exchange Server 2010 or Lync Serve 2010) this is how the picture space in Outlook and Lync shows up for our example user Amy Alberts.

 

 

 

 I hope this helps you to increase personalization in your organization.

Comments
  • Excellent article! Just amazing Thx for sharing..

  • Is the actual photo binary then stored in AD, or is it just the URL?  Also, is there a way to also ensure that an existing photo in AD is "imported" into the SharePoint profile?

  • @John: Actual photo BLOB is stored in AD object thumbnailPhoto and not the URL.

    At a time it can be either EXPORT direction or IMPORT but not both at the same time. If currently picture is stored in AD thumbnailPhoto attribute as a BLOB then you can do first sync in IMPORT direction and see if pictures can be populated in SharePoint. Now you can change the direction to EXPORT so that going forward SharePoint is in control for writing to thumbnailPhoto attribute. You must also ensure that thumbnailPhoto attribute is not changed by other means after you set it to EXPORT else it may lead to some issues.

  • thanks for the response... can you expand on some of the possible "issues" that may occur when there are multiple vectors that can populate the thumbnailPhoto attribute?

  • @John: I remember an issue I worked with in which the picture kept getting reverted back or removed. I think it was related to this however its long time now... I would suggest you setup a test environment and test this concept to understand the impact...

  • I am following the steps in this article, but the photos are not exporting to AD. I'm assuming it's a permission issue for the service account running the User Profile Service. Did anyone have to set explicit permissions on the UPS service account for this export of photos to work?

  • @ThumbnailPhoto not updating: Yes, the account needs "Replicate Directory Changes" permission on domain. Its described at the start of this article.

  • Thanks for this post. I was wondering one thing, which of the three user photo thumbnails gets exported from SharePoint to AD?  As you probably know, SharePoint creates 3 photo thumbnails when a photo is uploaded to the SharePoint photo store.

  • @TRB4: Its the large photo (Domain_UserID_LThumb.jpg) which is used by FIM to be converted to BLOB and sent to AD.

  • Thanks Nishant, do you know if it's possible to control which of the photos that SharePoint exports to AD? L, M, or S?

  • @TRB4: Not that I am aware of. However, how does it matter? All 3 are copies of the exact same photo and it gets converted to BLOB before getting transferred to and stored in AD.

  • Ok, thanks Nishant, I guess I'm not well-versed on the the BLOB conversion process, I was mainly concerned with our AD growing too large and thought by importing the Medium photos into AD we could save some space.

  • Hi Nishant,

    We have a scenario where some user profile photos aren't syncing back to AD. We had a period where the sync was disabled, so my theory is that, users who uploaded a photo while it was disabled, wouldn't sync back to AD after we got sync working again.

    The reason I'm guessing is because the delta isn't registered in the profile property. If i have the user update the photo now, then it does sync back without issue.

    Two quick questions:

    1. Does this behavior make sense?

    2. Is there a way to force SharePoint to sync back to AD, instead of looking for a change? Maybe via a powershell script? Basically we have some accounts where thumbnailPhoto is empty in AD, but it's setup in SharePoint, however it won't sync back.

  • @TRB4: I tested this with 2 users, I uploaded 5 KB display pic in MySite for User1 and 4 MB display pic in MySite for User2. When I downloaded the Medium Thumbnail photo for both users (_MThumb_jpg) they were 2.39 KB (82x96) for User1 and 2.38 KB (96x72) for User2. So, SharePoint takes care of resizing and hence you need not worry about growing AD store large due to this.

    thumbnailPhoto attribute in AD schema can support upto 102400 bytes (100 KB).

  • @Shereen: Can you let me know how details about the sync was disabled?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment