1

I am a HelpDesk Support Person. I am using Windows 10, 2004. I PXE Baseline the computers for our company. I am the first person to log into a newly PXE Baselined computer. I use a privileged account. It does NOT have an "OutLook.com" Account attached to it. It does NOT have a "Microsoft.com" account attached to it. It does NOT have a "Teams" Account attached to it. It is strictly for Building / Baselining computers. It DOES exist in "AD", it DOES exist in "SCCM". Yes, I can locally and remotely log into any / all computers on our network with this account.

Yes, I have 'Manually" added a Picture into AD, it does NOT propagate. I don't understand why not. After adding picture into AD, is there something else that needs to be done to get it to propagate??

I can "Manually" create an account Picture on a specific computer I'm logged into, by using the "Manual Point and Click" steps available online. That works fine for "One" computer, but does NOT propagate automagically to any other computers I log into later on. I do NOT wish to "Manually" add pictures onto every computer I build. I'm looking for a way to "Automate" this in Windows 10, hence, the request for a Powershell script. Years ago at a different company, I had found a way in Windows 7 to easily script this. I cannot find that information, and have heard the script does NOT work for Windows 10 (MS, Don't break what works).

I have searched for weeks and have only found "how to delete default user picture, how to add default user picture, but nothing on how to script or set up your own picture to propagate, without requiring "OutLook.com" or "Microsoft.com" accounts. As mentioned, this is an AdMin Account, not a User Account. It IS in AD and SCCM, but not Outlook, nor Teams, nor Microsoft.com.
Suggestions ??

Chris Markis
  • 11
  • 1
  • 2

1 Answers1

2

There are 2 parts to be done to set account picture: in AD and locally.

Set the picture in AD

The right way to do this is to locate a folder with user pictures on AD Domain controller:

enter image description here

There is a simple Set-ADUser cmdlet that can be used to import user photos to Active Directory. It saves an image file in the thumbnailPhoto Active Directory attribute. Just remember to provide an exact path to the image file and the user’s name, for example:

$ADphoto = [byte[]](Get-Content C:\AD_Photos\ad-brian-johnson -Encoding byte)
Set-ADUser BrianJ -Replace @{thumbnailPhoto=$ADphoto}

To have this done for multiple users you may rename each photo file as username and create a Powershell script to iterate that. Since SuperUser is not a script-wrting service by it's rules I don't provide such.

Local configuration

Second part is to copy photo locally and configure registry setting to you it. Pictures are stored locally in hidden folders that correspond SID of each user on the PC. You can get SID from AD or from the current Windows Session by PowerShell:

$user_sid = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value

The location of photos is C:\Users\Public\AccountPictures\SID\, where SID is real SID of the user. This folder will contain 7 hidden pictures in jpg format, each corresponding to one of resolutions: 32, 40, 48, 96, 192, 200, 240, 448 px.

So, you need to place photos there with the specific naming convention.

Registry configuration

In Windows 10 you can set the user account profile picture through the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users. However, non-admin users don’t have the necessary permissions to add values to this registry key. To allow users without administrator privileges to change the profile picture, you must grant them write permissions to this registry key.

You can apply the permissions centrally with GPO.

  1. To do this, run the Group Policy Management console (gpmc.msc), create a new policy and link it to the OU with users’ computers;
  2. Then in the GPO editor go to the following section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Registry and add a new registry key (Add key) with the path MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\AccountPicture registry key via GPO
  3. Then, in the Security tab, check the Full Control permissions for all domain users ([YourDomainName]\Users) and click OK;
  4. In the next window, select the option Replace existing permission on all sub keys with inheritable permissions, otherwise users won’t have any privileges for the nested registry subkeys.

This is how the registry with the keys pointing to photos location should look like (for my user): Registry keys for photo location

Bind Photos to a Profile Using script

Now, to propagate these Active Directory photos as Windows 10 account pictures, you can make use of Group Policy logon/logoff scripts (GPO that runs a script at logoff). Other option is to set scheduled script in Task Manager - this is up to you.

As mentioned you may set the registry keys and put the photos manually just for test purpose but for all users this can be done with Powershell script that runs at logon or logoff triggered locally or by GPO.

If you want to have GPO to run the script in the previously created policy in the section User Configuration -> Policies -> Windows Settings -> Scripts (Logon/Logoff) create a new PowerShell logon script:

The script name: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe

The script parameters: -Noninteractive -ExecutionPolicy Bypass -Noprofile -File %logonserver%\netlogon\script\SetADPicture.ps1

Accordingly, the script itself must be located on ADC at %logonserver%\netlogon\script.

Note: this is a user policy, while the previous one is computer policy. This one should apply to user objects, while the previous - to computers.

And, finally, the script itself. There are some ready-to-use scripts which are quite big and complecated, so I don't paste them here. But the one which is recommended is located at: http://www.classicshell.net/forum/viewtopic.php?f=12&t=7921

The script basicly write a file for each resolution in C:\Users\Public\AccountPictures and creates the appropiate records in registry in HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users

Hardoman
  • 1,092