All, Thanks for the feedback. There's some good information here that will help us determine the best way to do this. We're going to have an AMER and EMEA domain with an empty root but want to quickly and easily obtain the photo of any individual for security purposes. Over 60,000 users.
I agree that it's not necessarily something that we want replicated on all domain controllers. But the nature of our WAN dictates that we need to have all photos fairly local -- pulling from across the Atlantic is too tedious even for small files. We have decent connectivity within those domains. I originally was leaning toward SQL with a web front-end and deal with the latency (or replicate/cluster). However, AD/AM is in interesting idea as well as we can then have separate front-ends and pull from the replicated (only where necessary) database. We're going to have additional issues like "how do we get digital photos of everyone and who's going to crop or compress all of the photos, etc, etc,etc. Sounds like fun... Thanks, Mike > Guido's response is the first thing I thought of as well. > > I don't think AD is a proper place for that info for a couple of reasons > > 1. Do you really need this replicated to every DC? > 2. If someone dumps your AD, they get all of the photos too, how many people > would like to have their entire company including photos of everyone > distributed around. I personally don't like having my photo floating around > and don't have it in our corporate photo system (which is a web site, not in > AD). > 3. You are growing your DIT for no real NOS benefit. > 4. You could really live to regret this when people decide to get creative. > > Also, how do you intend to display this info? Obviously having it out there > is for the single purpose of displaying it later. If you have people put it > in and no way to display, someone will call you out on that. > > I would stick this info in an AD/AM or SQL Server or something along those > lines. Also put up some strict standards on what images get added. I know of > a case where some monkey where I work had a picture of himself with a "cat > in the hat" hat on. I recall seeing that photo one day, hearing he > complained up to the IT Director under the CIO for something or another and > then hearing from some friends that his cat in the hat photo was suddenly > gone from the directory. So I figure the Director wanted to look this gomer > up in the Org list and up popped that photo much to the director's distaste. > I have also see some other more "frightful" images for a corporate directory > that could spawn lawsuits. > > joe > > > ------------- > http://www.joeware.net (download joeware) > http://www.cafeshops.com/joewarenet (wear joeware) > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido > Sent: Friday, April 09, 2004 1:43 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Photos in Active Directory > > WARNING: let's look at the security aspects of photos in AD from another > side. You need to be aware that the photo attribute is editable by default > by every user himself (just like all the other attributes which are part of > the personal information property set). > > But the photo-attribute is somewhat special: it's a binary blob which > basically has no size limit... (depends on LDAP policy max msg size). > This means that if you don't lock down this attribute, every user could > potentially upload really large images (think of a 1 GB image) to this > attribute and kill your all your DCs anytime he'd like either through > replication or simply growing the DIT-file over the limits of your disks. > > So even if you're not going to use this attribute to store photos, you > should also ensure that nobody else does it for you. > > /Guido > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw > Sent: Dienstag, 6. April 2004 17:55 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Photos in Active Directory > > I think the benefit is obvious - security. > > You may want to consider using Active Directory Application Mode or setting > up an Application Partition in AD (assuming you are using W2K3). > Either would enable you to isolate the data & replication. > > Photos shouldn't change much so once you have done your initial replication > there shouldn't really be any additional traffic to bear. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert > Sent: Tuesday, April 06, 2004 12:51 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Photos in Active Directory > > It all depends on how large your organisation is I guess, how many sites, > WAN links, etc. I wouldn't really recommend it as you really want to keep > your AD as small as possible for replication and performance reasons. > > What benefit will you get out of having users photo's in the user object? > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: 05 April 2004 22:40 > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Photos in Active Directory > > > Hi all, > > We're in the middle of desiging our Active Directory (Server 2003) and > our security group just came up with the idea that it would be great to > include a photo of the user in each user object. I know this CAN be > done but I'm looking for information that would tell me whether it > SHOULD or SHOULD NOT be done. Any references anyone can think of or, > better yet, personal experience with this? > > > Thanks, > Mike > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > The information transmitted is intended only for the person or entity > to which it is addressed and may contain confidential and/or > privileged material. Any use (including retransmission or copying) > of this information by persons or entities other than the intended > recipient is prohibited. If you are not the intended recipient of this > transmission, please contact the sender and delete the material > from any computer. The sender is not responsible for the > completeness or accuracy of this communication as it has been > transmitted over a public network. Any replies to this email may be > monitored by the MCPS-PRS Alliance for quality control and other > purposes. > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
