Exporting profile pictures from SharePoint 2010 to Active Directory

Profile pictures can either be stored in Active Directory or in SharePoint. The main reason for placing the profile pictures in SharePoint is for easier management, self-service and maintaining high quality images. Storing the pictures directory in Active Directory gives some restrictions on both physical file size and pixels.

Set up delegation in Active Directory

Select “Delegate Control” on the top level in Active Directory. Locate the system account performing the synchronization.

Choose “Create a custom task to delegate”.

Choose “Only the following objects in the folder” and “User objects”.

Choose “Property specific” and “Read thumbnailPhoto” and “Write thumbnailPhoto”.

Finish the wizard and the delegation should be fine.

Set up export in SharePoint User Profile Service

Locate the user profile property named “Picture” in the user profile service application in Central Administration.

Edit the property and set up an export to the Active Directory field “thumbnailPhoto”.

This should appear like this after choosing “Add”.

Run a full synchronization of the user profiles.

To verifiy the result we have updated the profile picture of one user, and browsing the status in the MIIS Client show that the picture was successfully exported for the user.

Known issues

This can give an error message “permission issue” when checking the status in the MIIS client (C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe).

This error can appear when the system user running the synchronization haven’t been delegated the necessary permissions in Active Directory as described in the beginning of this post.

Summary

After successfully setting up a synchronization of profile pictures from SharePoint to Active Directory the images can be used throughout the company in other applications like Lync and Outlook.

10 thoughts on “Exporting profile pictures from SharePoint 2010 to Active Directory”

  1. Thanks for posting this solution . I find many post but most of them are just steps on how to do this. no one mentioned this known issue.SO even if your profile service is importing user data fine it will still not work unless permissions mentioned in your article are set before start exporting. thanks

  2. Thanks dude!
    Ive done it but just made an error, while i was doing Incremental sync nothing happened, but it worked with full sysn

  3. Not working, in FIM I have an Error like “PicturURL” (String) is not compatible with type of “SPS_MV_OctetString_PictureURL” (Binary). and result of all DELTASYNC and FULLSYNC are in “stopped-extension-dll-exception”. All of item and Metaverse PictureURL / SPS_MV_OctetString_PictureURL.. are create in FIM by SharePoint 2010

    1. I have never experienced this error, so I’m not sure what causes it to stop. Wrong configuration of the user profile mapping or delegation in AD should only result in a error, not a full stop. From a general point I would have checked the values of the “Picture” user profile property. I have seen other blogs suggest that if this field contains any invalid urls or values a similar error can occur. To check the content of the field, I believe this can be best accomplished by looping through the user profiles using PowerShell.

  4. Hi,
    Thanks for the post: it saved our life 😉
    We had set up sync between AD and SharePoint user profiles, and it worked fine, except for the photos of some profiles. So the majority of photos was synced, but not all of them.
    By following your post we solved our problems, and all photos were synced.
    It’s incredible all this stuff is not documented by Microsoft.

  5. Hi,
    If the field is set up as Export, does that mean Picture field is bi-directional. if the picture is updated in active directory does it update SharePoint.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s