Photo’s in AD?
Posted by BPuhl on January 24, 2008
I love the fact that there is a lot of mythology floating around about AD. Much of it is completely bogus, but hey, at least people are thinking about a problem or scenario, and if they are thinking, then that’s much easier to correct than someone who isn’t thinking at all.
One of the more entertaining things I’ve heard, is that you should never (ever) allow users to store photo’s in AD. Aww heck, there’s even an attribute in AD, called thumbnailPhoto, so what are you talking about? Sure, it’s going to be a “large” attribute, meaning you need to make sure that you have enough disk space for your database, but then again, so are certificates and nobody hops up on their soapbox when someone wants to deploy PKI!
Many months ago at Microsoft, we finished an internal project which published everyone’s photo into AD, and an add-on for Microsoft Outlook which allows user to “show pictures” of each person who is on the to line. This has turned out to be incredibly helpful, when you are going to walk into a meeting and don’t recognize anybody else that’s on the invite.
So what’s all the FUD about putting pictures in AD? Well…like anything else with AD, it’s not something which you should just go about willy-nilly, how about we stop and put some thought into it? For example, whatever process you use, shouldn’t allow users to add arbitrarily large images into the directory. We use a Sharepoint application, to scale down the images to an appropriate size. You should have some form of life cycle management for the pictures, so that you can make sure that they are updated/maintained with all of the other aspects of the user account.
You know, in short – You should manage this bit of data in the directory just like every other bit of data in the directory which you manage. Wrap appropriate controls around it, ensure it’s validity/integrity as necessary, etc…
Actually, the biggest problems with putting images into the directory, are not around the technology of doing so. There were many (many, many) discussions around whether you wanted to allow people to explicitly “opt-in” to publishing their picture, “opt-out” of publishing it, or “require” them to do so. After many discussions with our internal legal department, we found that for users in North America, we could publish their pictures without their consent, however the complex privacy laws in other parts of the world led us to providing an opt-in model for those users. Yeah, this actually did upset some of the North America users, but not too many and not that vocally.
Interesting bit of trivia though – one of the things we decided to do with our deployment, was to allow users to maintain their own pictures, via the Sharepoint application I talked about. This immediately led to a few different ideas about compromising the quality of this service. One team, considered having everybody on the team change their images to that of a single person. Others decided that changing their images to something that was more representative of their personalities, such as them snowboarding or their family.
Personally, my “corporate avatar” is:
Yes, that’s right – it’s a giant half-chicken half-squirrel. And if you have absolutely no idea what I’m talking about, then you don’t watch enough South Park (which is probably much healthier for you anyway)
random note: Picture cache, for those of you who have played with this, is located at: C:\Users\<user>\AppData\Local\Microsoft\Outlook\PictureCache
(BTW – For all the techy people out here who are looking for some useful nugget of information in all of this blathering – With the deployment of credential roaming in Windows Server 2008, which stores many more certificates, plus these pictures for all of our users, our typical database size has gone from about 13GB to about 22GB. We still build our typical server with 16GB of RAM though…)