another interesting thing to note is that the picture attribute (otherwise known as thumbnailphoto) is a part of the personal information property set. this matters because, by default, the self security principal is granted rights to modify attributes in the personal information property set. oh no!
at this point, paths diverge based on what matters to you:
- users can manage their own photos
- users adding photos will bloat the AD database
if your concern is the capability of users managing their own photos, you can modify the permissions associated with the self security principal. if all that matters to you is blocking the file size of the image, you can modify the max size limit.
warning: i haven't tried either of these so proceed at your own peril.
STEPS TO MODIFY PERMISSIONS
appropriate permissions are required to make this modification (generally domain admins or a privileged assignment that can change object acls).
- open active directory users and computers (dsa.msc)
- navigate to the base container you wish to apply the changes
- open the properties, switch to the security tab and click advanced
- under the permissions tab, click add and find the self oject
- on the permission entry dialog box, switch to properties
- switch the focus to user objects on the apply onto section
- scroll down to find write thumbnailphoto and click deny
STEPS TO MODIFY MAX SIZE LIMIT
to make this modification, you need permission to modify the schema.
- open adsiedit.msc and connect to the schema naming context
- open the schema tree (ex: cn=schema,cn=configuration,dc=mydomain,dc=com)
- locate the cn=picture node and open the properties
- modify the rangeupper value to the new value (stored as bytes)