How to sync picture from SharePoint to Active Directory and hence to Outlook and Lync

Lets talk about how we can get a picture in user's My Site to be synchronized with Active Directory (AD) and hence other applications like Outlook or Lync (formally office communicator) can utilize it.

So lets get started with assuming -

  1. "User Profile Synchronization Service" is in "Started" state on appropriate SharePoint server
  2. "Replicate Directory Changes" permission on a domain is present for synchronization account https://technet.microsoft.com/en-us/library/hh296982.aspx#RDCdomain
  3. If you will export property values from SharePoint Server to AD DS, the synchronization account must have Create Child Objects (this object and all descendants) and Write All Properties (this object and all descendants) permissions on the organizational unit (OU) that you are synchronizing with. Ref: https://technet.microsoft.com/en-us/library/ff182925.aspx#permission
  4. You have a functional SharePoint 2010 / SharePoint 2013 environment which is configured to do Profile Synchronization. For more details on this please refer to https://technet.microsoft.com/en-us/library/ff382639.aspx
  • Currently this is how the picture space in Outlook and Lync shows up for our example user Amy Alberts.

 

  • Browse to Central Admin > Manage User Properties > Edit the Picture Property

 

 

  • Under Add New Mapping, Choose the Source Data Connection as your AD import connection, attribute as "thumbnailPhoto" and Direction as "Export" and click Add

 

  • By doing this you'd see Property Mapping for Synchronization as below, Click OK now to save this property mapping

 

  • Now in Manage User Properties, Picture attribute would show up as below

 

 

  • Browse to a user's My Site whose picture needs to be updated, click on My Profile > Edit My Profile > Choose Picture > Save and Close

 

  • Browse again to User Profile Service Application > Start Profile Synchronization > Start Incremental Synchronization
  • There are couple of ways you can verify the picture export
    • From SharePoint side
      • Open MIISCLIENT.EXE from C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell
      • Look at the latest DS_EXPORT phase and click on "Updates" in Export Statistics, this would open the Object Details window
      • Choose the user for whom the picture was updated and click on Properties
      • You should see a change of type "add" for attribute name "thumbnailPhoto" as below

 

 

      • This indicates SharePoint was successfully able to export the photo
    • From Active Directory side

      • Open the tool ADSIEdit.msc
      • Connect to the correct domain
      • Navigate thru the hierarchy and find the user for whom the picture was updated and open properties of the user so that it would display the attribute editor
      • By default he value of attribute "thumbnailPhoto" would be <not set> however after the profile synchronization is completed, you would see a binary value in there as visible in screenshot below

 

  • Important:
    • Its not supported/recommended to run any operations or make any changes directly using MIISCLIENT.exe. Please rely on SharePoint UI/OM for all your Profile Sync operations.
    • ADSIEdit.msc is a very powerful tool and can mess around the Active Directory configuration if not carefully used. If you do any changes using this tool, its irreversible so please be careful. In my example, we are using this tool as READ-ONLY just to confirm the changes made.

 

  • After giving a few hours and once the AD replication is complete and once Exchange and Lync have picked up these changes (I didn’t need to do any manual changes on my Exchange Server 2010 or Lync Serve 2010) this is how the picture space in Outlook and Lync shows up for our example user Amy Alberts.

 

 

 I hope this helps you to increase personalization in your organization.

Comments

  • Anonymous
    January 01, 2003
    @TRB4: Its the large photo (Domain_UserID_LThumb.jpg) which is used by FIM to be converted to BLOB and sent to AD.

  • Anonymous
    January 01, 2003
    @John: Actual photo BLOB is stored in AD object thumbnailPhoto and not the URL. At a time it can be either EXPORT direction or IMPORT but not both at the same time. If currently picture is stored in AD thumbnailPhoto attribute as a BLOB then you can do first sync in IMPORT direction and see if pictures can be populated in SharePoint. Now you can change the direction to EXPORT so that going forward SharePoint is in control for writing to thumbnailPhoto attribute. You must also ensure that thumbnailPhoto attribute is not changed by other means after you set it to EXPORT else it may lead to some issues.

  • Anonymous
    January 01, 2003
    @ThumbnailPhoto not updating: Yes, the account needs "Replicate Directory Changes" permission on domain. Its described at the start of this article.

  • Anonymous
    January 01, 2003
    @John: I remember an issue I worked with in which the picture kept getting reverted back or removed. I think it was related to this however its long time now... I would suggest you setup a test environment and test this concept to understand the impact...

  • Anonymous
    January 01, 2003
    Thanks Nishant, do you know if it's possible to control which of the photos that SharePoint exports to AD? L, M, or S?

  • Anonymous
    January 01, 2003
    @m greene: Outlook yes, as it has ability to pull thumbnailPhoto attribute from Active Directory; I am not sure if Jabber has this capability.

  • Anonymous
    January 01, 2003
    @Shereen: Can you let me know how details about the sync was disabled?

  • Anonymous
    January 01, 2003
    Ok, thanks Nishant, I guess I'm not well-versed on the the BLOB conversion process, I was mainly concerned with our AD growing too large and thought by importing the Medium photos into AD we could save some space.

  • Anonymous
    January 01, 2003
    I had a working environment where I was importing thumbnail photos from AD into SharePoint 2013. I then deleted the Import mapping an Set it up as an Export mapping, but doing so ended up clearing all users' thumbnailphoto attributes in AD.

    Any idea what could have caused this?

  • Anonymous
    January 01, 2003
    Thanks for this post. I was wondering one thing, which of the three user photo thumbnails gets exported from SharePoint to AD?  As you probably know, SharePoint creates 3 photo thumbnails when a photo is uploaded to the SharePoint photo store.

  • Anonymous
    January 01, 2003
    @TRB4: Not that I am aware of. However, how does it matter? All 3 are copies of the exact same photo and it gets converted to BLOB before getting transferred to and stored in AD.

  • Anonymous
    January 01, 2003
    @Ashneel, @ingo: If Domain NETBIOS name is different than the FQDN of the domain then change NetBiosDomainNamesEnabled property of UPA and see if that helps.
    More Info: http://blogs.msdn.com/b/russmax/archive/2010/03/20/sharepoint-2010-provisioning-user-profile-synchronization.aspx

  • Anonymous
    January 01, 2003
    @David: Please post a screenshot from FIM which shows this error

  • Anonymous
    January 01, 2003
    @TRB4: I tested this with 2 users, I uploaded 5 KB display pic in MySite for User1 and 4 MB display pic in MySite for User2. When I downloaded the Medium Thumbnail photo for both users (_MThumb_jpg) they were 2.39 KB (82x96) for User1 and 2.38 KB (96x72) for User2. So, SharePoint takes care of resizing and hence you need not worry about growing AD store large due to this. thumbnailPhoto attribute in AD schema can support upto 102400 bytes (100 KB).

  • Anonymous
    January 01, 2003
    @Bostjan: Yes, it is possible to IMPORT picture if already stored in AD to SharePoint 2013 profile store. I don't believe you need Exchange if you have other means to populate thumbnailPhoto attribute in AD which can be utilized by SharePoint. @Rob in LA: If you update a photo in mysite and if that photo gets updated in Lync after running SharePoint profile import then SharePoint Profile import part is working just fine and further investigation may be needed on Exchange / Outlook side.

  • Anonymous
    January 01, 2003
    @Ryan Fielding: Yes, I do believe DirSync includes the thumbnailPhoto attribute when syncing On-Premise users to Office 365 however I haven't tested this yet. @Jari: Thanks for asking this question. Will update this in my blog too... Excerpt from technet.microsoft.com/.../ff182925(v=office.14).aspx •If you will export property values from SharePoint Server to AD DS, the synchronization account must have Create Child Objects (this object and all descendants) and Write All Properties (this object and all descendants) permissions on the organizational unit (OU) that you are synchronizing with

  • Anonymous
    January 01, 2003
    @Matt: I could use some clarity here if this answer is not relevant... When you say "we have large thumbnails which can be from 5k up to 50k in file size" - When a user uploads an image to SharePoint My Profile; SharePoint creates 3 sized thumbnails (small, medium and large) and if the property mapping between Picture and thumbnailPhoto AD attribute is done in Export direction, SharePoint by default uses large size thumbnail (*_LThumb.jpg) which in my earlier test hasnt exceeded 5 kb file size. You could browse to Images at My Site host and look at file size for all *_LThumb.jpg and check. **corrected **

  • Anonymous
    January 01, 2003
    @Pierre: If you update photos directly in AD while SharePoint Picture property mapping with thumbnailPhoto attribute is set to "Export" direction, it is expected that photos in AD will be overwritten.
    However, if its confirmed that photo updated in AD is not the photo in Profile Store for that particular user (hence a "ghost" photo); that's weird. I would run a NetMon on server running User Profile Sync Service (where FIM is running) and point mysite to a specific WFE using HOSTS file and capture traffic (between that specific WFE and server where FIM is running) while Profile Import is going and see if I can find out from which URL that "ghost" photo is coming from.

  • Anonymous
    January 01, 2003
    @Josef: What is the direction of SharePoint Picture property mapping with thumbnailPhoto attribute in your case?

  • Anonymous
    January 01, 2003
    Excellent article! Just amazing Thx for sharing..

  • Anonymous
    January 01, 2003
    Is it possible to do this from SP Online (Wave 15) -> AD?

  • Anonymous
    March 13, 2012
    Is the actual photo binary then stored in AD, or is it just the URL?  Also, is there a way to also ensure that an existing photo in AD is "imported" into the SharePoint profile?

  • Anonymous
    March 13, 2012
    thanks for the response... can you expand on some of the possible "issues" that may occur when there are multiple vectors that can populate the thumbnailPhoto attribute?

  • Anonymous
    August 29, 2012
    The comment has been removed

  • Anonymous
    November 26, 2012
    Hi Nishant, We have a scenario where some user profile photos aren't syncing back to AD. We had a period where the sync was disabled, so my theory is that, users who uploaded a photo while it was disabled, wouldn't sync back to AD after we got sync working again. The reason I'm guessing is because the delta isn't registered in the profile property. If i have the user update the photo now, then it does sync back without issue. Two quick questions:

  1. Does this behavior make sense?
  2. Is there a way to force SharePoint to sync back to AD, instead of looking for a change? Maybe via a powershell script? Basically we have some accounts where thumbnailPhoto is empty in AD, but it's setup in SharePoint, however it won't sync back.
  • Anonymous
    January 15, 2013
    @Nishant We use My Site as the place to upload profile pictures and now we are investigating how to set up an AD synchronization in order to populate AD with those pictures. Regarding TRB4's question about image sizes: What you (Nishant) describe is the file size of the medium size thumbnail, but that's not very interesting when it comes to AD replication since it's the large thumbnail which will get replicated. From our perspective we have large thumbnails which can be from 5k up to 50k in file size and that will except for putting a lot of stress on the AD also make a lot of pictures unusable in Lync (default 30 kb limit) and Exchange (10 kb limit). Is there any way of restricting the file size of the thumbnails in MySite to never exceed, for example,  10kb?

  • Anonymous
    February 11, 2013
    Is it possible to IMPORT thumbnail picture from AD to Sharepoint2013 users profile? Somewhere on the internet I have found out that you need to have EXCHANGE2013 for that (we use EXCHANGE2010), but I'm not quite sure what Exchange has got to do with an AD? social.technet.microsoft.com/.../4acf8501-db0c-4fa6-b79d-239401ded789

  • Anonymous
    April 24, 2013
    How about pushing from AD to MySite?  We have photos in MySite and Lync, but not in Outlook which calls from AD.

  • Anonymous
    June 06, 2013
    Will the replicating Directory changes really give the user profile sync account rights to modify attributes in AD ? I thought that this just gives rights to read AD replication information to know when some object is changed in AD. I think that you should still give rights to write thumbnailphoto attribute.

  • Anonymous
    October 30, 2013
    Hi Nishant, Thanks for this wonderful blog. I have issue while user profile photo synchronization with AD. In Ds_export I can see Error for few users (below us the error) <error-type>constraint-violation</error-type>

  • <cd-error>  <error-code>8322</error-code>  <error-literal>A value for the attribute was not in the acceptable range of values.</error-literal> For many users photos are getting successfully synced with AD. Your help will really be appreciated
  • Anonymous
    November 17, 2013
    The comment has been removed
  • Anonymous
    January 16, 2014
    Not working here, when i dig into FIM I see that PictureURL (string) is not compatible with type of SPS_OctetString_PictureURL (binary) (
  • Anonymous
    March 03, 2014
    Hi Nishant,
    Thanks for the post. We set up sync from SharePoint to AD. People are able to update their photo through their My Site profile, and SharePoint syncs with AD one a day during the night. In most cases it works. But for some people sync doesn't occur. So I manually updated their photo in the AD with the photo from their profile. But believe me or not, after some time their old photo appears again in AD, instead of the one I uploaded. How is it possible, since their 3 profile pictures (L,M and S) in the My site Image library is the new one. It looks like during the sync the old picture is used. Any idea where these "ghost" photos could be stored?
    Kind regards,
    Pierre
  • Anonymous
    March 12, 2014
    Hi all,
    I have similar problem with sync photo like Pierre. All works but if I change photo on sharepoint the old one is still replicate to active directory. I tried delete attribute in AD, run sync and checked miis - attribute is updated but with old value. I found that problem is in the "SharePoint’s hidden user-list", the photo is not updated there... Is any way how to update this list or delete specific user in the list (I guess that user will be recreated after log to sharepoint again)
    Regards,
    Josef
  • Anonymous
    July 31, 2014
    Hi Nishant, thanks for answering all the questions.
    i have an issue when i export my thumbnailphoto to AD from SP 13. when i look at FIM logs, i notice that its mapping my account incorrectly and thus throwing an error that user does not exist or is not unique.
    it is actually looking at my account as such NetbiosDomainNameUserName and trying to Map the first name off my FQDNUsername. so if my FQDN is test.co.nz and netbios name is testDomain, i normally login as testDomainUsername. in this case its mapping TestDomainUsername against testUsername and throwing errors.
    when i do get into Preview on Connector Space Object Properties under FIM and generate a Preview of Full SYNC i see the attributes that should be updated but Final Change says (Unchanged), i guess this is because of the error against user mapping.
  • Anonymous
    November 17, 2014
    Hi Nishant,
    we have the save issue as Ashneel (wrong mapping...).
    Have you any solution for that?
    thx.
  • Anonymous
    December 03, 2014
    Can this be done with Outlook and Jabber?
  • Anonymous
    February 12, 2015
    I am able to upload the photos on AD successfully using Exclaimer Software. it shows value in thumbnail attribute. But next day it disappear from Thumbnail attribute and does not display on Outlook.

    We have exchange 2010 and 3 DCs 2012 but schema level is 2003.
    Replication across all DCS is ruining ok and all 3 are GC.
    Any suggestion.
  • Anonymous
    June 04, 2015
    @Yogesh: If the thumbnailphoto attribute is successfully populated and later goes blank, it could be either a AD replication issue or its being overwritten somehow. While it could be "heavy" you could look at AD auditing optionshttps://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx
  • Anonymous
    July 14, 2015
    hi, i m trying to do the same, but for my Add mapping, the source are empty and does not allow me to type anything. please help
  • Anonymous
    July 14, 2015
    @Ramit: Under Add New Mapping are you able to choose the Source Data Connection as your AD import connection? If yes then you should be able to select attribute as "thumbnailPhoto" else ensure your AD import connection is configured correctly.
  • Anonymous
    November 03, 2015
    You must run the following script in order to populate user profile db with picture Update-SPProfilePhotoStore -CreateThumbnailsForImportedPhotos 1 -MySiteHostLocation %MySiteURL%
  • Anonymous
    November 03, 2015
    @Jamie: You dont need to unless you are migrating from 2007 (to make SharePoint profile photo store is compatible with SharePoint Server 2013) or you are importing User Photos from Active Directory into SharePoint 2013 (other way around then what this blog describes)
    • Anonymous
      January 19, 2016
      I am needing to sync pictures from AD to SharePoint Online. The sync works for Lync and OWA but will not show their image in SahrePoint/MySites. Any help? Thanks
  • Anonymous
    April 12, 2016
    Good write-up! As per the below article Sync Account needs local admin rights on the server running the UPS service. Can anyone confirm this please? https://support.microsoft.com/en-us/kb/2784927Thanks!