In GAL Photos in Exchange 2010 and Outlook 2010, I posted about the new GAL Photos feature in Exchange 2010 and Outlook 2010. Since then, there have been many implementation-related questions internally from the field, in various froums and from customers. Here are answers to some FAQs.
Q. Do I need Exchange 2010 to display GAL Photos?
A. As noted in the post, Active Directory has the thumbnailPhoto attribute. Outlook 2010 has the client-side feature to display the photo. Exchange 2010 provides the Import-RecipientDataProperty cmdlet to easily import the photo (yes, a GUI would've been nice - we hear ya!), and Exchange 2010's Offline Address Book (OAB) has the ability to include the necessary pointers to Active Directory to allow Outlook 2010 clients in Cached Exchange Mode to display the photo — the client still needs to be able to communicate with Active Directory to download the photo. You can make it work for Outlook 2010 clients without using Exchange 2010, but Cached Mode support is an Exchange 2010 + Outlook 2010 feature.
If you can write the code/script to upload the photo blob to Active Directory (or find the script/code on the web), you can make it work with a previous version of Exchange.
We recommend you treat all scripts/code downloaded from the web as untrusted code and test it thoroughly in a non-production environment.
Q. What are Active Directory requirements? Do I need Windows 2008 R2?
A. Windows 2008 R2 is not required. In fact, the thumbnailPhoto attribute has been around since Windows 2000.
- However, the mAPIID attribute should have the value 35998. This happens when domain controllers are running Windows 2008 or later, or if your Active Directory schema has been updated to Windows 2008. If not, you can run adprep /forestprep from Windows 2008 to update the schema. For details, check out Running ADPrep and Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2. In an environment with mutliple forests, you must update each forest that has users or Exchange servers.
- You must set the thumbnailPhoto attribute to replicate to the Global Catalog, as shown in the original post, although it'll work without this modification in single domain environments.
Note: Exchange 2010 SP1 setup / SchemaPrep modifies the thumbnailPhoto attribute so it's replicated to the Global Catalog.
Q. What are the Exchange permissions required to run the Import-RecipientDataProperty cmdlet to import photos into Active Directory?
A. Exchange 2010 uses the new Role-Based Access Control (RBAC) permissions model. There are two ways to discover permissions: 1) Go directly to topics under Feature Permissions in Exchange 2010 documentation and look for the task you want to accomplish. 2) A simpler way is to refer to the cmdlet help, which has the link to the exact feature permissions page and entry (in the Detailed Description section of each cmdlet help doc). For the Import-RecipientDataProperty cmdlet, refer to the Recipient data properties entry on the Mailbox Permissions page. This reveals that a user must be member of either the Organization Management or Recipient Management role groups to be able to run this cmdlet. 3) If you want to get more granular and find out specifically which management role can run the Import-RecipientDataProperty cmdlet, use the following command:
Get-ManagementRole -cmdlet Import-RecipientDataProperty
This reveals that you need the Migration management role to be able to run this cmdlet.
Q. What's the size limit for the thumbnail photo?
A. The thumbnailPhoto attribute itself supports photos of up to 100K, but the Import-RecipientDataProperty cmdlet in Exchange 2010 allows you to import only 10K or smaller files.
Q. Is the thumbnail saved in my OAB?
A. No, by default it isn't. As noted in the original post, the Exchange 2010 OAB simply includes a pointer that the data exists in AD. You can modify it to include the photo blob in the OAB. We recommend testing it in a non-production environment to determine, depending on the number of users in your organization, whether you can support the resulting OAB size.
Q. How can I add the thumbnail to my OAB?
A. Remove the thumbnailPhoto attribute as an Indicator attribute from the OAB using the following code (also provided in the original post):
$attributes = (Get-OfflineAddressBook "Default Offline Address Book").ConfiguredAttributes
$attributes.Remove("thumbnailphoto,Indicator")
Set-OfflineAddressBook "Default Offline Address Book" -ConfiguredAttributes $attributes
Add the attribute as a Value attribute:
$attributes.Add("thumbnailphoto,Value")
Set-OfflineAddressBook "Default Offline Address Book" -ConfiguredAttributes $attributes
Remember to update the OAB once you're done uploading photos. This command updates the default OAB:
Update-OfflineAddressBook "Default Offline Address Book"
Q. Does Outlook 2010 cache the photos?
A. Outlook 2010 caches the photos for the session so it doesn't pull the data from Active Directory again during that session. If Outlook 2010 doesn't have Active Directory connectivity, and the thumbnailPhoto attribute isn't included as a Value attribute in the Offline Address Book, it won't display the thumbnail.
Q. Can Outlook 2007 display GAL photos?
A. No, Outlook 2007 displays photos for Contacts if the user has saved them. This is a client-side feature and no data is uploaded to Active Directory. For details, see Add, change, or remove a photo for a contact.
Q. When users send an email to external recipients, are photos sent outside my organization?
A. No, the thumbnail photos are not sent with email. As indicated above, Outlook 2010 clients in your organization fetch the data from Active Directory (or the Offline Address Book, if you've modified the ConfiguredAttributes parameter for the OAB to include it as a value attribute). If your Active Directory is accessible to anonymous users from outside the organization, meet me at camera 2! :)
Q. How can I disable GAL Photos in Outlook?
A. If you don't upload photos to the thumbnailPhoto attribute in Active Directory, they will not be displayed. If you have applications that must use the thumbnailPhoto attribute, but don't want to have the photos displayed in Outlook 2010, you can disable them for Outlook by using the DoNotDisplayPhotograph registry value or the Do not display contact photo group policy setting. The setting is available via the OutlookSocialConnector.adm administrative template. For details and a download link, see How to manage the Outlook Social Connector by using Group Policy.
Q. Are any GUI tools available to upload thumbnail photos to Active Directory?
A. There are no GUI tools within Exchange 2010. However, there are a few third-party GUI utilities that allow you to upload photos easily. I think the Import-RecipientDataProperty cmdlet is quite easy and great for automation if you need to import more than a handful photos!
Q. How can I remove a user's photo from Active Directory?
A. The Import-RecipientDataProperty and Export-RecipientDataProperty cmdlets allow you to import and export the photo blob to and from thumbnailPhoto attribute, but there's no Remove-RecipientDataProperty cmdlet to remove it. You can use the RemovePicture switch of Set-Mailbox cmdlet to remove a user's photo. For example:
Set-Mailbox "Bharat Suneja" -RemovePicture
You can also use Active Directory tools such as ADSIEdit to null the thumbnailPhoto attribute.
If you want to disable GAL Photos in Outlook 2010 but want to retain the thumbnail for other applications, you can do so using a client-side registry value or group policy setting, as answered above.
To visit this post again, use the short URL aka.ms/galphotosfaq. To go to the 'GAL Photos in Exchange 2010 and Outlook 2010' post, use aka.ms/galphotos.
You Had Me at EHLO.