RE: [ActiveDir] Photos in Active Directory
All, Thanks for the feedback. There's some good information here that will help us determine the best way to do this. We're going to have an AMER and EMEA domain with an empty root but want to quickly and easily obtain the photo of any individual for security purposes. Over 60,000 users. I agree that it's not necessarily something that we want replicated on all domain controllers. But the nature of our WAN dictates that we need to have all photos fairly local -- pulling from across the Atlantic is too tedious even for small files. We have decent connectivity within those domains. I originally was leaning toward SQL with a web front-end and deal with the latency (or replicate/cluster). However, AD/AM is in interesting idea as well as we can then have separate front-ends and pull from the replicated (only where necessary) database. We're going to have additional issues like how do we get digital photos of everyone and who's going to crop or compress all of the photos, etc, etc,etc. Sounds like fun... Thanks, Mike Guido's response is the first thing I thought of as well. I don't think AD is a proper place for that info for a couple of reasons 1. Do you really need this replicated to every DC? 2. If someone dumps your AD, they get all of the photos too, how many people would like to have their entire company including photos of everyone distributed around. I personally don't like having my photo floating around and don't have it in our corporate photo system (which is a web site, not in AD). 3. You are growing your DIT for no real NOS benefit. 4. You could really live to regret this when people decide to get creative. Also, how do you intend to display this info? Obviously having it out there is for the single purpose of displaying it later. If you have people put it in and no way to display, someone will call you out on that. I would stick this info in an AD/AM or SQL Server or something along those lines. Also put up some strict standards on what images get added. I know of a case where some monkey where I work had a picture of himself with a cat in the hat hat on. I recall seeing that photo one day, hearing he complained up to the IT Director under the CIO for something or another and then hearing from some friends that his cat in the hat photo was suddenly gone from the directory. So I figure the Director wanted to look this gomer up in the Org list and up popped that photo much to the director's distaste. I have also see some other more frightful images for a corporate directory that could spawn lawsuits. joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, April 09, 2004 1:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory WARNING: let's look at the security aspects of photos in AD from another side. You need to be aware that the photo attribute is editable by default by every user himself (just like all the other attributes which are part of the personal information property set). But the photo-attribute is somewhat special: it's a binary blob which basically has no size limit... (depends on LDAP policy max msg size). This means that if you don't lock down this attribute, every user could potentially upload really large images (think of a 1 GB image) to this attribute and kill your all your DCs anytime he'd like either through replication or simply growing the DIT-file over the limits of your disks. So even if you're not going to use this attribute to store photos, you should also ensure that nobody else does it for you. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw Sent: Dienstag, 6. April 2004 17:55 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory I think the benefit is obvious - security. You may want to consider using Active Directory Application Mode or setting up an Application Partition in AD (assuming you are using W2K3). Either would enable you to isolate the data replication. Photos shouldn't change much so once you have done your initial replication there shouldn't really be any additional traffic to bear. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, April 06, 2004 12:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory It all depends on how large your organisation is I guess, how many sites, WAN links, etc. I wouldn't really recommend it as you really want to keep your AD as small as possible for replication and performance reasons. What benefit will you get out of having users photo's in the user object? -Original Message- From: [EMAIL
RE: [ActiveDir] Photos in Active Directory
If you're using this for security reasons, then the main challenge will not only be how to get a digital photo of everyone, but also to prove that the jpeg.file you're receiving to upload into AD is really the person who it's supposed to represent... - I'm sure that's the most fun part. And obviously you must limit the permissions on the appropriate attribute in AD as previously mentioned. The quality of the photos will really dictate what you can do with it and what the impact on AD would be - do you only need it for a rough visual comparison on a monitor (5-6 KB thumbnail JPEG of a face will do) or do you need a picture to view on a monitor at a distance (i.e. full page) which is also good enough to print as small picture (25-35 KB JPEG file) e.g. to create badges. I won't even consider mentioning high-res pictures. But the two examples above, calculated for 60,000 users will rouhgly grow your AD dit file as follows: Thumbnail (5-6 KB) = 300 - 360 MB Full Page (25-35 KB) = 1.500 - 2.100 MB As I expect your dit to be at roughly 2-3 GB right now without the photos, you'd be talking about an increase of approx. 10% vs. 50% of data in AD. I was just interested myself on the impact on AD in a scenario such as your's which is why I did this rough estimate. As such the thumbnail option isn't really that much of an impact on AD afterall... But don't forget that you'll have to add the photo-attribute to the GC PAS (currently not the case) if you truly want to access the data no matter which DC you connect to. However, if you accept the size increase, it shouldn't add too much to your daily replication volume (once all the photos are in AD), as this data should be pretty static (unless you plan to update it every day with the most current picture of the user ;-)) But no matter what, you'll definitely have more flexibility using a separate store for the photo data and just linking the right picture to the right AD account. You'll even be able to delegate the task of updating the pictures much easier without having to trust your NOS directory admins that they don't fool around with this security data. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Dienstag, 13. April 2004 22:18 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory All, Thanks for the feedback. There's some good information here that will help us determine the best way to do this. We're going to have an AMER and EMEA domain with an empty root but want to quickly and easily obtain the photo of any individual for security purposes. Over 60,000 users. I agree that it's not necessarily something that we want replicated on all domain controllers. But the nature of our WAN dictates that we need to have all photos fairly local -- pulling from across the Atlantic is too tedious even for small files. We have decent connectivity within those domains. I originally was leaning toward SQL with a web front-end and deal with the latency (or replicate/cluster). However, AD/AM is in interesting idea as well as we can then have separate front-ends and pull from the replicated (only where necessary) database. We're going to have additional issues like how do we get digital photos of everyone and who's going to crop or compress all of the photos, etc, etc,etc. Sounds like fun... Thanks, Mike Guido's response is the first thing I thought of as well. I don't think AD is a proper place for that info for a couple of reasons 1. Do you really need this replicated to every DC? 2. If someone dumps your AD, they get all of the photos too, how many people would like to have their entire company including photos of everyone distributed around. I personally don't like having my photo floating around and don't have it in our corporate photo system (which is a web site, not in AD). 3. You are growing your DIT for no real NOS benefit. 4. You could really live to regret this when people decide to get creative. Also, how do you intend to display this info? Obviously having it out there is for the single purpose of displaying it later. If you have people put it in and no way to display, someone will call you out on that. I would stick this info in an AD/AM or SQL Server or something along those lines. Also put up some strict standards on what images get added. I know of a case where some monkey where I work had a picture of himself with a cat in the hat hat on. I recall seeing that photo one day, hearing he complained up to the IT Director under the CIO for something or another and then hearing from some friends that his cat in the hat photo was suddenly gone from the directory. So I figure the Director wanted to look this gomer up in the Org list and up popped that photo much to the director's distaste. I have also see some other more frightful images for a corporate directory that could spawn
RE: [ActiveDir] Photos in Active Directory
Guido's response is the first thing I thought of as well. I don't think AD is a proper place for that info for a couple of reasons 1. Do you really need this replicated to every DC? 2. If someone dumps your AD, they get all of the photos too, how many people would like to have their entire company including photos of everyone distributed around. I personally don't like having my photo floating around and don't have it in our corporate photo system (which is a web site, not in AD). 3. You are growing your DIT for no real NOS benefit. 4. You could really live to regret this when people decide to get creative. Also, how do you intend to display this info? Obviously having it out there is for the single purpose of displaying it later. If you have people put it in and no way to display, someone will call you out on that. I would stick this info in an AD/AM or SQL Server or something along those lines. Also put up some strict standards on what images get added. I know of a case where some monkey where I work had a picture of himself with a cat in the hat hat on. I recall seeing that photo one day, hearing he complained up to the IT Director under the CIO for something or another and then hearing from some friends that his cat in the hat photo was suddenly gone from the directory. So I figure the Director wanted to look this gomer up in the Org list and up popped that photo much to the director's distaste. I have also see some other more frightful images for a corporate directory that could spawn lawsuits. joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, April 09, 2004 1:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory WARNING: let's look at the security aspects of photos in AD from another side. You need to be aware that the photo attribute is editable by default by every user himself (just like all the other attributes which are part of the personal information property set). But the photo-attribute is somewhat special: it's a binary blob which basically has no size limit... (depends on LDAP policy max msg size). This means that if you don't lock down this attribute, every user could potentially upload really large images (think of a 1 GB image) to this attribute and kill your all your DCs anytime he'd like either through replication or simply growing the DIT-file over the limits of your disks. So even if you're not going to use this attribute to store photos, you should also ensure that nobody else does it for you. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw Sent: Dienstag, 6. April 2004 17:55 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory I think the benefit is obvious - security. You may want to consider using Active Directory Application Mode or setting up an Application Partition in AD (assuming you are using W2K3). Either would enable you to isolate the data replication. Photos shouldn't change much so once you have done your initial replication there shouldn't really be any additional traffic to bear. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, April 06, 2004 12:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory It all depends on how large your organisation is I guess, how many sites, WAN links, etc. I wouldn't really recommend it as you really want to keep your AD as small as possible for replication and performance reasons. What benefit will you get out of having users photo's in the user object? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 05 April 2004 22:40 To: [EMAIL PROTECTED] Subject: [ActiveDir] Photos in Active Directory Hi all, We're in the middle of desiging our Active Directory (Server 2003) and our security group just came up with the idea that it would be great to include a photo of the user in each user object. I know this CAN be done but I'm looking for information that would tell me whether it SHOULD or SHOULD NOT be done. Any references anyone can think of or, better yet, personal experience with this? Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any use (including retransmission or copying) of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this transmission, please contact the sender and delete the material from any
Re: [ActiveDir] Photos in Active Directory
Thats a good point and one I had not thought of (killing the DC's with large photos). Another suggestion, if you do want to keep a photo stored in AD, I would do like Guido suggested and restrict the attribute to the appropriate groups or whatever, and use some program to limit the size of the photo. I haven't really looked into this much. There is a program called Imagemagick (www.imagemagick.org) that will do some cool stuff (resizing, etc). - Robbie Robbie Foust, IT Analyst Systems and Core Services Duke University Grillenmeier, Guido wrote: WARNING: let's look at the security aspects of photos in AD from another side. You need to be aware that the photo attribute is editable by default by every user himself (just like all the other attributes which are part of the personal information property set). But the photo-attribute is somewhat special: it's a binary blob which basically has no size limit... (depends on LDAP policy max msg size). This means that if you don't lock down this attribute, every user could potentially upload really large images (think of a 1 GB image) to this attribute and kill your all your DCs anytime he'd like either through replication or simply growing the DIT-file over the limits of your disks. So even if you're not going to use this attribute to store photos, you should also ensure that nobody else does it for you. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw Sent: Dienstag, 6. April 2004 17:55 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory I think the benefit is obvious - security. You may want to consider using Active Directory Application Mode or setting up an Application Partition in AD (assuming you are using W2K3). Either would enable you to isolate the data replication. Photos shouldn't change much so once you have done your initial replication there shouldn't really be any additional traffic to bear. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, April 06, 2004 12:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory It all depends on how large your organisation is I guess, how many sites, WAN links, etc. I wouldn't really recommend it as you really want to keep your AD as small as possible for replication and performance reasons. What benefit will you get out of having users photo's in the user object? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 05 April 2004 22:40 To: [EMAIL PROTECTED] Subject: [ActiveDir] Photos in Active Directory Hi all, We're in the middle of desiging our Active Directory (Server 2003) and our security group just came up with the idea that it would be great to include a photo of the user in each user object. I know this CAN be done but I'm looking for information that would tell me whether it SHOULD or SHOULD NOT be done. Any references anyone can think of or, better yet, personal experience with this? Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any use (including retransmission or copying) of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this transmission, please contact the sender and delete the material from any computer. The sender is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Any replies to this email may be monitored by the MCPS-PRS Alliance for quality control and other purposes. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Photos in Active Directory
It all depends on how large your organisation is I guess, how many sites, WAN links, etc. I wouldn't really recommend it as you really want to keep your AD as small as possible for replication and performance reasons. What benefit will you get out of having users photo's in the user object? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 05 April 2004 22:40 To: [EMAIL PROTECTED] Subject: [ActiveDir] Photos in Active Directory Hi all, We're in the middle of desiging our Active Directory (Server 2003) and our security group just came up with the idea that it would be great to include a photo of the user in each user object. I know this CAN be done but I'm looking for information that would tell me whether it SHOULD or SHOULD NOT be done. Any references anyone can think of or, better yet, personal experience with this? Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any use (including retransmission or copying) of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this transmission, please contact the sender and delete the material from any computer. The sender is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Any replies to this email may be monitored by the MCPS-PRS Alliance for quality control and other purposes. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Photos in Active Directory
I think the benefit is obvious - security. You may want to consider using Active Directory Application Mode or setting up an Application Partition in AD (assuming you are using W2K3). Either would enable you to isolate the data replication. Photos shouldn't change much so once you have done your initial replication there shouldn't really be any additional traffic to bear. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, April 06, 2004 12:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory It all depends on how large your organisation is I guess, how many sites, WAN links, etc. I wouldn't really recommend it as you really want to keep your AD as small as possible for replication and performance reasons. What benefit will you get out of having users photo's in the user object? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 05 April 2004 22:40 To: [EMAIL PROTECTED] Subject: [ActiveDir] Photos in Active Directory Hi all, We're in the middle of desiging our Active Directory (Server 2003) and our security group just came up with the idea that it would be great to include a photo of the user in each user object. I know this CAN be done but I'm looking for information that would tell me whether it SHOULD or SHOULD NOT be done. Any references anyone can think of or, better yet, personal experience with this? Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any use (including retransmission or copying) of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this transmission, please contact the sender and delete the material from any computer. The sender is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Any replies to this email may be monitored by the MCPS-PRS Alliance for quality control and other purposes. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Photos in Active Directory
To keep your Replication traffic down, why don't you just add a Link in the User properties that takes you to a web page with their Picture? That way you have a server with the pictures stored on it and you are only keeping links in the AD Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw Sent: Tuesday, April 06, 2004 10:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory I think the benefit is obvious - security. You may want to consider using Active Directory Application Mode or setting up an Application Partition in AD (assuming you are using W2K3). Either would enable you to isolate the data replication. Photos shouldn't change much so once you have done your initial replication there shouldn't really be any additional traffic to bear. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, April 06, 2004 12:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory It all depends on how large your organisation is I guess, how many sites, WAN links, etc. I wouldn't really recommend it as you really want to keep your AD as small as possible for replication and performance reasons. What benefit will you get out of having users photo's in the user object? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 05 April 2004 22:40 To: [EMAIL PROTECTED] Subject: [ActiveDir] Photos in Active Directory Hi all, We're in the middle of desiging our Active Directory (Server 2003) and our security group just came up with the idea that it would be great to include a photo of the user in each user object. I know this CAN be done but I'm looking for information that would tell me whether it SHOULD or SHOULD NOT be done. Any references anyone can think of or, better yet, personal experience with this? Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any use (including retransmission or copying) of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this transmission, please contact the sender and delete the material from any computer. The sender is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Any replies to this email may be monitored by the MCPS-PRS Alliance for quality control and other purposes. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Photos in Active Directory
Return Receipt Your RE: [ActiveDir] Photos in Active Directory document : was James S. Cate/CONTRACTOR/FII/CO/GSA/GOV received by: at: 04/06/2004 12:12:10 PM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Photos in Active Directory
Hi all, We're in the middle of desiging our Active Directory (Server 2003) and our security group just came up with the idea that it would be great to include a photo of the user in each user object. I know this CAN be done but I'm looking for information that would tell me whether it SHOULD or SHOULD NOT be done. Any references anyone can think of or, better yet, personal experience with this? Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/