Storage of photos in AD using jpegPhoto or thumbnailPhoto - yay or nay?
I checked the archives on this and didn't see too much there beyond Guido saying "don't do it". To quote:
[Grillenmeier, Guido
Tue, 14 Dec 2004 12:35:42 -0800
Tue, 14 Dec 2004 12:35:42 -0800
that's likely the photo or the thumbnailPhoto attribute (both octet strings) - best way to kill your AD. There are a couple of tools out there that allow uploading a user's photo to this attribute... The downside: every user has the right to do so on his own account (via the SELF security principal and the permissions granted to it with the PersonalInformation property set). I can only recommend to take these permissions away (possible in 2k3 to remove unwanted attributes from the default property sets).
a link would certainly be better - I don't think there's a default attribute for this - you might want to introduce a new attribute to your schema.
/Guido]
a link would certainly be better - I don't think there's a default attribute for this - you might want to introduce a new attribute to your schema.
/Guido]
I actually didn't see the jpegPhoto attribute in the Personal-Information attribute set (http://msdn.microsoft.com/library/default.asp?url=""
). Regardless, our users do not have the ability to update any of the photo attributes. So beyond DoS issues with users being able to upload large files into AD, what are the potential issues with having these out there? I certainly don't want to be flinging these bits to all corners of the world, and I would much rather use a link attribute. Coming up against management here though.
So, any real-world experience on populating photos in AD? Any more cons beyond DIT bloat and DoS?
Consider it a rather large AD implementation, with multiple child domains, >100K users, and a need to have the photo information in the global catalog
