In GAL Photos in Exchange 2010 and Outlook 2010, I posted about the new GAL Photos feature in Exchange 2010 and Outlook 2010. Since then, there have been many implementation-related questions internally from the field, in various froums and from customers. Here are answers to some FAQs.

Screenshot: GAL photo displayed in a recipient's property pages in Outlook 2010
Figure 1: Thumbnail displayed in a recipient's property pages in the GAL

Q. Do I need Exchange 2010 to display GAL Photos?
A. As noted in the post, Active Directory has the thumbnailPhoto attribute. Outlook 2010 has the client-side feature to display the photo. Exchange 2010 provides the Import-RecipientDataProperty cmdlet to easily import the photo (yes, a GUI would've been nice - we hear ya!), and Exchange 2010's Offline Address Book (OAB) has the ability to include the necessary pointers to Active Directory to allow Outlook 2010 clients in Cached Exchange Mode to display the photo — the client still needs to be able to communicate with Active Directory to download the photo. You can make it work for Outlook 2010 clients without using Exchange 2010, but Cached Mode support is an Exchange 2010 + Outlook 2010 feature.

If you can write the code/script to upload the photo blob to Active Directory (or find the script/code on the web), you can make it work with a previous version of Exchange.

We recommend you treat all scripts/code downloaded from the web as untrusted code and test it thoroughly in a non-production environment.

Q. What are Active Directory requirements? Do I need Windows 2008 R2?
A. Windows 2008 R2 is not required. In fact, the thumbnailPhoto attribute has been around since Windows 2000.
- However, the mAPIID attribute should have the value 35998. This happens when domain controllers are running Windows 2008 or later, or if your Active Directory schema has been updated to Windows 2008. If not, you can run adprep /forestprep from Windows 2008 to update the schema. For details, check out Running ADPrep and Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Window.... In an environment with mutliple forests, you must update each forest that has users or Exchange servers.
- You must set the thumbnailPhoto attribute to replicate to the Global Catalog, as shown in the original post, although it'll work without this modification in single domain environments.

Note: Exchange 2010 SP1 setup / SchemaPrep modifies the thumbnailPhoto attribute so it's replicated to the Global Catalog.

Q. What are the Exchange permissions required to run the Import-RecipientDataProperty cmdlet to import photos into Active Directory?
A. Exchange 2010 uses the new Role-Based Access Control (RBAC) permissions model. There are two ways to discover permissions: 1) Go directly to topics under Feature Permissions in Exchange 2010 documentation and look for the task you want to accomplish. 2) A simpler way is to refer to the cmdlet help, which has the link to the exact feature permissions page and entry (in the Detailed Description section of each cmdlet help doc). For the Import-RecipientDataProperty cmdlet, refer to the Recipient data properties entry on the Mailbox Permissions page. This reveals that a user must be member of either the Organization Management or Recipient Management role groups to be able to run this cmdlet. 3) If you want to get more granular and find out specifically which management role can run the Import-RecipientDataProperty cmdlet, use the following command:

Get-ManagementRole -cmdlet Import-RecipientDataProperty

This reveals that you need the Migration management role to be able to run this cmdlet.

Q. What's the size limit for the thumbnail photo?
A. The thumbnailPhoto attribute itself supports photos of up to 100K, but the Import-RecipientDataProperty cmdlet in Exchange 2010 allows you to import only 10K or smaller files.

Q. Is the thumbnail saved in my OAB?
A. No, by default it isn't. As noted in the original post, the Exchange 2010 OAB simply includes a pointer that the data exists in AD. You can modify it to include the photo blob in the OAB. We recommend testing it in a non-production environment to determine, depending on the number of users in your organization, whether you can support the resulting OAB size.

Q. How can I add the thumbnail to my OAB?
A. Remove the thumbnailPhoto attribute as an Indicator attribute from the OAB using the following code (also provided in the original post):

$attributes = (Get-OfflineAddressBook "Default Offline Address Book").ConfiguredAttributes
Set-OfflineAddressBook "Default Offline Address Book" -ConfiguredAttributes $attributes

Add the attribute as a Value attribute:

Set-OfflineAddressBook "Default Offline Address Book" -ConfiguredAttributes $attributes

Remember to update the OAB once you're done uploading photos. This command updates the default OAB:

Update-OfflineAddressBook "Default Offline Address Book"

Q. Does Outlook 2010 cache the photos?
A. Outlook 2010 caches the photos for the session so it doesn't pull the data from Active Directory again during that session. If Outlook 2010 doesn't have Active Directory connectivity, and the thumbnailPhoto attribute isn't included as a Value attribute in the Offline Address Book, it won't display the thumbnail.

Q. Can Outlook 2007 display GAL photos?
A. No, Outlook 2007 displays photos for Contacts if the user has saved them. This is a client-side feature and no data is uploaded to Active Directory. For details, see Add, change, or remove a photo for a contact.

Q. When users send an email to external recipients, are photos sent outside my organization?
A. No, the thumbnail photos are not sent with email. As indicated above, Outlook 2010 clients in your organization fetch the data from Active Directory (or the Offline Address Book, if you've modified the ConfiguredAttributes parameter for the OAB to include it as a value attribute). If your Active Directory is accessible to anonymous users from outside the organization, meet me at camera 2! :)

Q. How can I disable GAL Photos in Outlook?
A. If you don't upload photos to the thumbnailPhoto attribute in Active Directory, they will not be displayed. If you have applications that must use the thumbnailPhoto attribute, but don't want to have the photos displayed in Outlook 2010, you can disable them for Outlook by using the DoNotDisplayPhotograph registry value or the Do not display contact photo group policy setting. The setting is available via the OutlookSocialConnector.adm administrative template. For details and a download link, see How to manage the Outlook Social Connector by using Group Policy.

Q. Are any GUI tools available to upload thumbnail photos to Active Directory?
A. There are no GUI tools within Exchange 2010. However, there are a few third-party GUI utilities that allow you to upload photos easily. I think the Import-RecipientDataProperty cmdlet is quite easy and great for automation if you need to import more than a handful photos!

Q. How can I remove a user's photo from Active Directory?
A. The Import-RecipientDataProperty and Export-RecipientDataProperty cmdlets allow you to import and export the photo blob to and from thumbnailPhoto attribute, but there's no Remove-RecipientDataProperty cmdlet to remove it. You can use the RemovePicture switch of Set-Mailbox cmdlet to remove a user's photo. For example:

Set-Mailbox "Bharat Suneja" -RemovePicture

You can also use Active Directory tools such as ADSIEdit to null the thumbnailPhoto attribute.

If you want to disable GAL Photos in Outlook 2010 but want to retain the thumbnail for other applications, you can do so using a client-side registry value or group policy setting, as answered above.

Bharat Suneja

To visit this post again, use the short URL aka.ms/galphotosfaq. To go to the 'GAL Photos in Exchange 2010 and Outlook 2010' post, use aka.ms/galphotos.

Not applicable
I have this all working, except I don't think I have the photos in my GAL despite having done what's in the instructions. I have not upgraded my schema to 2008 yet, however. Everything else is working (photos in the contact card, etc). Is not having the schema updated the cause of not having the photos actually be present in the GAL?
Not applicable
Nice article.  Any support for OWA 2010 in sp1?
Not applicable
When a user has a local photo and AD has a photo for the same person, how is this handled?

If the GAL has a conflicting phone number for a user this only matters when the record is pulled up, but pictures are shown when messages arrive.
Not applicable
Constantino, as you'll see above you do need to update the schema to adjust the mAPIID attribute.  You can do this without actually upgrading your domain controllers.
Not applicable
@Constantino Tobio: You must update the schema to populate the MapiID for Outlook 2010 to show these.
Not applicable
@MikeC The locally saved photo is used.

We have had photos in AD for years! Nice to see MS using AD finally using this in a product. We use rDirectory from www.Namescape.com to empower our end users to take control of their data and upload their own photos.  
Not applicable
Can we add photos to distribution groups?
Not applicable
@Ozgur: If you look at the Identity parameter in Import-RecipientDataProperty cmdlet, the parameter type is Microsoft.Exchange.Configuration.Tasks.MailboxUserContactIdParameter. This means it'll only accept a mailbox user or Contact, and you can't specify a distribution group.
Not applicable
I've ran 2008 R2 adprep32 (forestprep & domainprep) but the value of mAPIID is still 32974. Is there anything else that needs to be done to get the value to 35998?
Not applicable
Nevermind. I was looking at the actual mAPPID attribute & not the mAPPID attribute of the picture attribute. It's correct.
Not applicable
Environment: DC 2003 & Ex2003  & Outlook 2010.

How to set the mAPIID attribute to value 35998 without ForestPrep ?
it is possible to set it manually ?
Not applicable
Great article.  I can populate this attribute for users (found a PS1 script that will do it w/o E14, btw), but we are also wanting it for our Distribution Groups.  When I use OL 2010 I see the thumbnails (& the placeholder icons) for the users.  These placeholders exist for Distribution Groups, too.  Why no picture capability?  I checked ADSIEdit and found that the 'thumbnailPhoto' is not, by default, an attribute of the 'group' AD class.  If I want to enable this for groups, couldn't I just manually extend the Schema by adding the 'thumbnailPhoto' as an attribute of the AD 'Group' Class?  I checked and it seems like it would work.  I  know I'm not the only one that will be wanting this.
Not applicable
I have small problem
I setup  thumbnailphoto as value but I see picture only when J'm useing online mode not in Cached Mode.

Not applicable
@Tomas: Was the OAB updated after changing value types? Did the client download the new OAB?

@El Kabong: Thanks for the feedback. As with all schema changes, make sure you test it thoroughly in a lab environment.

@Uwe: Is there an issue with updating schema using Forestprep?
Not applicable
OAB is downloaded but I overlook schema update. ( ithink this is problem)
But I see picture when I compose a message and choose the recipient nad I hover over the recipient's name
Not applicable
How large an image can be uploaded and does it mean that the size of ad will expand to equal the amount of image sizes uploaded ?
Not applicable
I have been through the steps and I see the photos in various spots within Outlook 2010, but not in the top, right corner of a message from another internal sender. If the people pane is on, the photo appears at the bottom, but rarely is this used. Anything more need to be done in order to get the photos to display within a message?
Not applicable
Who can I remove a picture (one user is not happy with his face ...) I'm sure it is an AD atribute but I can't find it.
Not applicable
We are using the thumbnailPhoto attribute. Works fine. Does Outlook 2010 /Exchange 2010 use the jpegPhoto attribute for anything?
Not applicable
sure hope inplace will be possible. lots of customers want that.