One of the most common task has been PowerShell to get User Photos from Active Directory (or any other location really) into the SharePoint User Profile Store. With the removal of User Profile Synchronization (UPS) in SharePoint 2016 & 2019 this need has increased significantly. For most mid market customers this is a key requirement, and implementing Microsoft Identity Manager (MIM) for this purpose is not practical.
At any rate, if the business requirements can be met by ADI, with the exception of User Photos, then MIM is absolutely NOT the right solution.
Now in essence such a script is simple. We iterate Active Directory, get the photos from thumbnailPhoto, and then put them in the Profile Pictures folder within the My Site host. Depending upon operational requirements we can enhance this basic capability with logging and caching of the images on the file system and so forth.
We also still need to run Update-SPProfilePhotoStore once the import is complete, to create the three thumbnails that SharePoint uses.We also need to ensure that both the import script and Update-SPProfilePhotoStore are run on a machine hosting the User Profile Service service instance. The latter will not raise any exception if it is run elsewhere, it merely does nothing and quits!
Now Main Implementation Part:
SharePoint 2013 introduced Active Directory Import. This is built on a technology called DirSync. There are many advantages with using Active Directory Import. We do not need to start up the User Profile Synchronization service and the syncs are many times faster than FIM. SharePoint 2016 & 2019 only has two options: External Identity Provider (MIM) or Active Directory Import.
This script will import profile pictures from Active Directory to SharePoint using DirSync. You can have your pictures imported and use Active Directory Import. This assumes your user profiles are being imported and populated. This will require your account to have Replicate Directory Changes for your domain as you would for SharePoint. I would suggest using the same account that you are using to sync users in SharePoint. Scroll to the bottom for the entire script.
Logs and the pictures will be written to $location.
Here are the variables that will need to be changed to your environment:
$Location = "C:\Dirsync\"
#First time running, just run "DirSync" then "UploadPicture $adusers"
#Update RootDSE to match your domain
$RootDSE = [ADSI]"LDAP://dc=amtest,dc=local"
$site = Get-SpSite https://mysite-dev.amtest.local
$domain = "amtest\"
#This will write the pictures to the folder specified in $location
$write2disk = $true
#LDAP filter that is currently set to pull in users with thumbnailphoto and not disabled users.
$LDAPFilter = "(&(objectCategory=person)(objectclass=user)(thumbnailphoto=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
#Set $UseDifferentSvcAccount to true to be prompted for a different service account. False will use the user that is running the script to connect to AD.
$UseDifferentSvcAccount = $true
New logic in the script will create the DNLookup if it’s not present. There was another issue where existing users in AD would fail since the sAMAccountName property is not included with incremental syncs. This is resolved by doing a lookup by the DN and add them into the DNLookup.xml. Download the new version here (https://github.com/SPAdamsor/SharePointProfilePictureImport)
The first time you run this script it will run a full sync. The cookie.bin will be populated. This will require your account to have Replicate Directory Changes (same requirement for SharePoint) for your domain as you would for SharePoint. I would suggest using the same account that you are using to sync users in SharePoint.
Steps:
1. Open PowerShell ISE with SharePoint Admin account
2. Create one Directory folder as below on Drive ( all logs will get generated over here )
3. Change below script parameter as per your SharePoint farm env
Please note in below section we are making line true because our admin & sync accounts are different.And our sync account having directory replication changes permission on AD.
#Set $UseDifferentSvcAccount to true to be prompted for a different service account. False will use the user that is running the script to connect to AD.
$UseDifferentSvcAccount = $true
4. After completion of script we will get below output.
5. Now we still need to run Update-SPProfilePhotoStore to create the thumbnails
Full Command: Update-SPProfilePhotoStore -createthumbnailsForImportedPhotos $true -MySiteHostLocation https://mysite-dev.amtest.local
Now you can see profile picture of users in their mysite :
