RE: [ActiveDir] Photos in AD

[Comeau, Steven]

Is there a way to do it in Exchange instead without the AD issues?   Steven Comeau Manager, Corporate IT Systems Main Tape 1 Capital Drive, Suite 101 Cranbury, NJ  08512 800-718-8273  x332 From: Bahta, Nathaniel V Contractor NASIC/SCNA [mailto:[EMAIL PROTECTED] Sent: Thursday, March 02, 2006 8:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Photos in AD   Are there any Best Practices whitepapers out there on the recommended default property sets for a secure AD?  It sounds like this ability could seriously hinder some infrastructures running AD.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mr Oteece Sent: Wednesday, March 01, 2006 8:56 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Photos in AD Storage of photos in AD using jpegPhoto or thumbnailPhoto - yay or nay?   I checked the archives on this and didn't see too much there beyond Guido saying "don't do it". To quote:   [Grillenmeier, Guido Tue, 14 Dec 2004 12:35:42 -0800   that's likely the photo or the thumbnailPhoto attribute (both octet strings) - best way to kill your AD.  There are a couple of tools out there that allow uploading a user's photo to this attribute... The downside: every user has the right to do so on his own account (via the SELF security principal and the permissions granted to it with the PersonalInformation property set).  I can only recommend to take these permissions away (possible in 2k3 to remove unwanted attributes from the default property sets). a link would certainly be better - I don't think there's a default attribute for this - you might want to introduce a new attribute to your schema. /Guido]     I actually didn't see the jpegPhoto attribute in the Personal-Information attribute set (http://msdn.microsoft.com/library/default.asp?url="" ). Regardless, our users do not have the ability to update any of the photo attributes. So beyond DoS issues with users being able to upload large files into AD, what are the potential issues with having these out there? I certainly don't want to be flinging these bits to all corners of the world, and I would much rather use a link attribute. Coming up against management here though.   So, any real-world experience on populating photos in AD? Any more cons beyond DIT bloat and DoS?   Consider it a rather large AD implementation, with multiple child domains, >100K users, and a need to have the photo information in the global catalog