Are there any Best Practices whitepapers out there on
the recommended default property sets for a secure AD? It sounds like this
ability could seriously hinder some infrastructures running
AD.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mr Oteece
Sent: Wednesday, March 01, 2006 8:56 PM
To: [email protected]
Subject: [ActiveDir] Photos in AD
Storage of photos in AD using jpegPhoto or thumbnailPhoto - yay or
nay?
I checked the archives on this and didn't see too much there beyond
Guido saying "don't do it". To quote:
[Grillenmeier, Guido
Tue, 14 Dec 2004 12:35:42 -0800
Tue, 14 Dec 2004 12:35:42 -0800
that's likely the photo or the thumbnailPhoto attribute (both octet
strings) - best way to kill your AD. There are a couple of tools out there
that allow uploading a user's photo to this attribute... The downside: every
user has the right to do so on his own account (via the SELF security principal
and the permissions granted to it with the PersonalInformation property
set). I can only recommend to take these permissions away (possible in 2k3
to remove unwanted attributes from the default property sets).
a link would certainly be better - I don't think there's a default attribute for this - you might want to introduce a new attribute to your schema.
/Guido]
a link would certainly be better - I don't think there's a default attribute for this - you might want to introduce a new attribute to your schema.
/Guido]
I actually didn't see the jpegPhoto attribute in the Personal-Information
attribute set (http://msdn.microsoft.com/library/default.asp?url=""
). Regardless, our users do not have the ability to update any of the photo
attributes. So beyond DoS issues with users being able to upload large files
into AD, what are the potential issues with having these out there? I certainly
don't want to be flinging these bits to all corners of the world, and I would
much rather use a link attribute. Coming up against management here though.
So, any real-world experience on populating photos in AD? Any more cons
beyond DIT bloat and DoS?
Consider it a rather large AD implementation, with multiple child domains,
>100K users, and a need to have the photo information in the global
catalog
