Bulk AD Users – Update Photos


You should consider the pros and cons of storing photos in Active Directory as well as the implecations of bulk loading photos in Active Directory. 

Lets say that you have 20,000 user accounts in your Active Directory and you are planning to load a 100Kb (on average) photo of each user into Active Directory.  You would expect to need an additional 1953Mb of storage ([20000*100]/1024) on each of your domain controllers.  You also need to consider the affect on replication – especially if you have some sites with slow or saturated links.

You also need to consider the affect of applications downloading photos from Active Directory – these might add some additional load on your domain controllers so you will need to size them accordingly.

The impact of storing photos in Active Directory is likely to be quite minimal for an organisation with a few hundred user accounts, small image sizes and a handfull or of domain controllers in a single site.  The impact on a larger organization with thousands of user accounts accross multiple sites with slow links and larger image sizes could be quite severe.

You will need to decide which attribute to use to store your photos or you might be planning to extend the schema with your own attributes.  A number of attributes exist that are designed to allow you to store user photos in Active Directory.  Assuming you are using “Windows 2003 Server” you can use any of the following attributes:

Attribute NameMulti-Valued?Max File SizeDescription
photoYesAn object encoded in G3 fax as explained in recommendation T.4, with an ASN.1 wrapper to make it compatible with an X.400 BodyPart as defined in X.420.
jpegphotoYesUsed to store one or more images of a person using the JPEG File Interchange Format [JFIF].


  • Plan carefully – make sure you understand the impact of storing photos in Active Directory.
  • Keep file sizes as small as possible.
  • Run bulk updates at “quiet” times.
  • You might want to run tests in a QA environment before making changes to your live system.  Also ensure that you have recent backups of your Active Directory.


You can use Bulk Modify to bulk load user photos into Active Directory.  Click the “Other” tab and select the attribute you want to use to store your employee photos.  Select the “Replace” option if appropriate.

Bulk AD Users - Modify Photos

The Octet string editor should be displayed.  You will need to change the “Edit value as” option to “Path to file”.  This will allow you to load a different photo for each user. 

If you click the “Sample user photo path” link, the following filename format will be used “\\server1\photoshare\username.jpg”.  You can edit the path as required using either a UNC or a local path.  The XML PlaceHolder “sAMAccountName” is replaced with the username (Pre Windows 2000 Logon name).

XML Log File

Photos are handled slightly differently in the XML log file.  If old and new files were encoded inside the XML log file, the size of the log file would grow quite large.  Any file over 1Kb is stored in an external file and a pointer is inserted into the XML log file. 

The photos will be stored in a file called “_data”.  The file does not have a file extension but it is possible to open the file by using a zip application.