Lets talk about how we can get a picture in user's My Site to be synchronized with Active Directory (AD) and hence other applications like Outlook or Lync (formally office communicator) can utilize it.
So lets get started with assuming -
I hope this helps you to increase personalization in your organization.
Excellent article! Just amazing Thx for sharing..
Is the actual photo binary then stored in AD, or is it just the URL? Also, is there a way to also ensure that an existing photo in AD is "imported" into the SharePoint profile?
@John: Actual photo BLOB is stored in AD object thumbnailPhoto and not the URL.
At a time it can be either EXPORT direction or IMPORT but not both at the same time. If currently picture is stored in AD thumbnailPhoto attribute as a BLOB then you can do first sync in IMPORT direction and see if pictures can be populated in SharePoint. Now you can change the direction to EXPORT so that going forward SharePoint is in control for writing to thumbnailPhoto attribute. You must also ensure that thumbnailPhoto attribute is not changed by other means after you set it to EXPORT else it may lead to some issues.
thanks for the response... can you expand on some of the possible "issues" that may occur when there are multiple vectors that can populate the thumbnailPhoto attribute?
@John: I remember an issue I worked with in which the picture kept getting reverted back or removed. I think it was related to this however its long time now... I would suggest you setup a test environment and test this concept to understand the impact...
I am following the steps in this article, but the photos are not exporting to AD. I'm assuming it's a permission issue for the service account running the User Profile Service. Did anyone have to set explicit permissions on the UPS service account for this export of photos to work?
@ThumbnailPhoto not updating: Yes, the account needs "Replicate Directory Changes" permission on domain. Its described at the start of this article.
Thanks for this post. I was wondering one thing, which of the three user photo thumbnails gets exported from SharePoint to AD? As you probably know, SharePoint creates 3 photo thumbnails when a photo is uploaded to the SharePoint photo store.
@TRB4: Its the large photo (Domain_UserID_LThumb.jpg) which is used by FIM to be converted to BLOB and sent to AD.
Thanks Nishant, do you know if it's possible to control which of the photos that SharePoint exports to AD? L, M, or S?
@TRB4: Not that I am aware of. However, how does it matter? All 3 are copies of the exact same photo and it gets converted to BLOB before getting transferred to and stored in AD.
Ok, thanks Nishant, I guess I'm not well-versed on the the BLOB conversion process, I was mainly concerned with our AD growing too large and thought by importing the Medium photos into AD we could save some space.
We have a scenario where some user profile photos aren't syncing back to AD. We had a period where the sync was disabled, so my theory is that, users who uploaded a photo while it was disabled, wouldn't sync back to AD after we got sync working again.
The reason I'm guessing is because the delta isn't registered in the profile property. If i have the user update the photo now, then it does sync back without issue.
Two quick questions:
1. Does this behavior make sense?
2. Is there a way to force SharePoint to sync back to AD, instead of looking for a change? Maybe via a powershell script? Basically we have some accounts where thumbnailPhoto is empty in AD, but it's setup in SharePoint, however it won't sync back.
@TRB4: I tested this with 2 users, I uploaded 5 KB display pic in MySite for User1 and 4 MB display pic in MySite for User2. When I downloaded the Medium Thumbnail photo for both users (_MThumb_jpg) they were 2.39 KB (82x96) for User1 and 2.38 KB (96x72) for User2. So, SharePoint takes care of resizing and hence you need not worry about growing AD store large due to this.
thumbnailPhoto attribute in AD schema can support upto 102400 bytes (100 KB).
@Shereen: Can you let me know how details about the sync was disabled?