ds: modifying security and the default max size limit for pictures in active directory
i started investigating storing pictures in active directory and came to the understanding that while the default size is 100kb, exchange limited uploads to 10kb. i did a little testing with my own pretty face and realized that a 96x96 image that is less than 10kb is sufficient. anyway, here's a couple of things i dug up. props to wrj for the schema location info.
DEFAULT PERMISSIONS
another interesting thing to note is that the picture attribute (otherwise known as thumbnailphoto) is a part of the personal information property set. this matters because, by default, the self security principal is granted rights to modify attributes in the personal information property set. oh no!
SOLUTIONS
at this point, paths diverge based on what matters to you:
warning: i haven't tried either of these so proceed at your own peril.
STEPS TO MODIFY PERMISSIONS
appropriate permissions are required to make this modification (generally domain admins or a privileged assignment that can change object acls).
STEPS TO MODIFY MAX SIZE LIMIT
to make this modification, you need permission to modify the schema.
DEFAULT PERMISSIONS
another interesting thing to note is that the picture attribute (otherwise known as thumbnailphoto) is a part of the personal information property set. this matters because, by default, the self security principal is granted rights to modify attributes in the personal information property set. oh no!
SOLUTIONS
at this point, paths diverge based on what matters to you:
- users can manage their own photos
- users adding photos will bloat the AD database
if your concern is the capability of users managing their own photos, you can modify the permissions associated with the self security principal. if all that matters to you is blocking the file size of the image, you can modify the max size limit.
warning: i haven't tried either of these so proceed at your own peril.
STEPS TO MODIFY PERMISSIONS
appropriate permissions are required to make this modification (generally domain admins or a privileged assignment that can change object acls).
- open active directory users and computers (dsa.msc)
- navigate to the base container you wish to apply the changes
- open the properties, switch to the security tab and click advanced
- under the permissions tab, click add and find the self oject
- on the permission entry dialog box, switch to properties
- switch the focus to user objects on the apply onto section
- scroll down to find write thumbnailphoto and click deny
STEPS TO MODIFY MAX SIZE LIMIT
to make this modification, you need permission to modify the schema.
- open adsiedit.msc and connect to the schema naming context
- open the schema tree (ex: cn=schema,cn=configuration,dc=mydomain,dc=com)
- locate the cn=picture node and open the properties
- modify the rangeupper value to the new value (stored as bytes)
This comment has been removed by a blog administrator.
ReplyDelete