Guido's response is the first thing I thought of as well. I don't think AD is a proper place for that info for a couple of reasons
1. Do you really need this replicated to every DC? 2. If someone dumps your AD, they get all of the photos too, how many people would like to have their entire company including photos of everyone distributed around. I personally don't like having my photo floating around and don't have it in our corporate photo system (which is a web site, not in AD). 3. You are growing your DIT for no real NOS benefit. 4. You could really live to regret this when people decide to get creative. Also, how do you intend to display this info? Obviously having it out there is for the single purpose of displaying it later. If you have people put it in and no way to display, someone will call you out on that. I would stick this info in an AD/AM or SQL Server or something along those lines. Also put up some strict standards on what images get added. I know of a case where some monkey where I work had a picture of himself with a "cat in the hat" hat on. I recall seeing that photo one day, hearing he complained up to the IT Director under the CIO for something or another and then hearing from some friends that his cat in the hat photo was suddenly gone from the directory. So I figure the Director wanted to look this gomer up in the Org list and up popped that photo much to the director's distaste. I have also see some other more "frightful" images for a corporate directory that could spawn lawsuits. joe ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, April 09, 2004 1:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory WARNING: let's look at the security aspects of photos in AD from another side. You need to be aware that the photo attribute is editable by default by every user himself (just like all the other attributes which are part of the personal information property set). But the photo-attribute is somewhat special: it's a binary blob which basically has no size limit... (depends on LDAP policy max msg size). This means that if you don't lock down this attribute, every user could potentially upload really large images (think of a 1 GB image) to this attribute and kill your all your DCs anytime he'd like either through replication or simply growing the DIT-file over the limits of your disks. So even if you're not going to use this attribute to store photos, you should also ensure that nobody else does it for you. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw Sent: Dienstag, 6. April 2004 17:55 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory I think the benefit is obvious - security. You may want to consider using Active Directory Application Mode or setting up an Application Partition in AD (assuming you are using W2K3). Either would enable you to isolate the data & replication. Photos shouldn't change much so once you have done your initial replication there shouldn't really be any additional traffic to bear. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, April 06, 2004 12:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory It all depends on how large your organisation is I guess, how many sites, WAN links, etc. I wouldn't really recommend it as you really want to keep your AD as small as possible for replication and performance reasons. What benefit will you get out of having users photo's in the user object? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 05 April 2004 22:40 To: [EMAIL PROTECTED] Subject: [ActiveDir] Photos in Active Directory Hi all, We're in the middle of desiging our Active Directory (Server 2003) and our security group just came up with the idea that it would be great to include a photo of the user in each user object. I know this CAN be done but I'm looking for information that would tell me whether it SHOULD or SHOULD NOT be done. Any references anyone can think of or, better yet, personal experience with this? Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any use (including retransmission or copying) of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this transmission, please contact the sender and delete the material from any computer. The sender is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Any replies to this email may be monitored by the MCPS-PRS Alliance for quality control and other purposes. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
