We have recently setup Lync integration with Sharepoint 2010 and are having the issue that user pictures are only exporting to AD for new users that joined since the config change in SharePoint and AD. Is there any way to get existing user's photos to get exported to AD along with new members of staff? Thanks in advance!

Rob

Hi,

You need to run update command in powershell to get all update from AD:

Update-SPProfilePhotoStore -CreateThumbnailsForImportedPhotos 1 -MySiteHostLocation
http://<YourServerName>/my

Check this blof for more info: http://sharepointadam.com/2010/11/18/import-user-profile-photos-from-active-directory-into-sharepoint-2010/

Hope it could help

Thanks for that! We are actually looking to export the photo from SharePoint's value though by marking the picture user profile attribute to export to the AD Attribute thumbnailPhoto rather than importing it from an AD original. This is because users can change their corporate photos and need to be able to do this through their MySites.  I think what you suggested only works if the thumbnail photo attribute already is populated in AD?

Incremental Sync will only export the changes from the day the setup was done. However, you can force FIM to export all photos by doing an update on User Profile picture url property by setting it to blank and reverting to the original value. This action gets recorded as a change and the PictureUrl gets exported to AD by the DS Export FIM Management Agent. I did this using PowerShell and the next day all photos were exported to AD, thereby avoiding a Full Sync.

• Edited by Guru Karnik Wednesday, September 19, 2012 2:25 PM

When you say "setting it to blank and reverting to the original value", can you explain what you mean? Do you mean without leaving the property update page? Alternatively, can you mention what Powershell command you used?

• Edited by robin thakur Wednesday, September 19, 2012 3:33 PM

First, you can export all the users with my site pictures by using the below query against the user profile database and save it to a CSV file. This will be the backup and will also be used to iterate through user profiles with profile pictures.

SELECT NTName,PreferredName,PictureUrl
FROM UserProfile_Full WITH (NOLOCK)
WHERE bDeleted=0
AND LEN(PictureUrl)>0

Next, you can run the below PowerShell to reset the PictureUrl value of the User Profile by fetching user profiles as listed in the csv file. This would be way faster than enumerating each user profile and checking if PictureUrl value exists.

Try updating for one user profile and then go ahead with mass update.

#Load User Profile Assemblies
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Office.Server");
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Office.Server.UserProfiles");
#Add-PsSnapin Microsoft.SharePoint.PowerShell
if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null) {
    Add-PSSnapin "Microsoft.SharePoint.PowerShell"
}
$svcContext = Get-SPServiceContext "<MySiteHostUrl>";
$profileManager = New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($svcContext);
$UsersWithSPPictures = (Import-Csv "C:\UserProfilesWithPictures.csv");

$null = "";

foreach($user in $UsersWithSPPictures){
try{
#Get User Profile
$userprofile = $profileManager.GetUserProfile($user.NTName);
$PicUrl = $userprofile["PictureUrl"].Value;
Write-Host $userprofile["PictureUrl"].Value;

#Reset PictureUrl
$userprofile["PictureUrl"].Value = $null;
$userprofile.Commit();

Write-Host "Picture Url deleted for: " $user.NTName "Picture Url: " $userprofile["PictureUrl"].Value;

#Update Picture Url
Write-Host "Updating: " $PicUrl;
$userprofile["PictureUrl"].Value = $PicUrl;
$userprofile.Commit();

Write-Host "User Picture Url updated: " $userprofile["PictureUrl"];
}
catch [System.Exception]{
Write-Host $user.NTName: $_.Exception.Message;
}
}

• Edited by Guru Karnik Wednesday, September 19, 2012 7:52 PM
• Proposed as answer by Ivan-LiuModerator Thursday, September 20, 2012 6:55 AM
• Marked as answer by Qiao WeiMicrosoft contingent staff, Moderator Friday, September 28, 2012 10:37 AM

Thanks for this code Guru Karnik.  However, I ran it successfully using the farm account on one user record and it didn't work.  I tried it again and it successfully removed and added the PictureUrl back but, the photo still will not sync back to AD.  Every other user in the system has no issues with the photo sync to AD.  It's just this one user record which is making it a mystery as to why this is happening.   I have it set to sync at midnight so I have to wait a day to see if this works which makes it more frustrating.  Any ideas? 

To give a little more background on our set up, we have users upload their photo to their SP MySite.  These are then sent over to AD via the sync.  Thanks for any help!

Can you open Forefront Identity Manager client and see if there are any errors in the DS_Export agent?

You can run a full synch anytime you want -> central admin -> manager service applications -> UPSA -> start profile synchronization

As Guru stated, check the FIM client for any errors during the export.  C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe

If you're seeing any sort of dll-exceptoins, the first place I would look is the format of the photo and its size.

Thanks for pointing that out!  After looking for errors in the DS_Export, I found that there was a permissions issue with the account and that led me to the solution at this blog linked below.  It is related to an account that has been given elevated permissions at some point.  This disconnects the inherit permissions from parent in AD.

Insufficient access rights to perform the operation
http://velavans.blogspot.com/2011/10/insufficient-access-rights-to-perform.html

Just in case that blog ever goes down, here is the copy:

In SharePoint 2010 I have profile export configured to export certain data from SharePoint to AD. Everything was working fine, except that for certain users the export failed with the error "Insufficient access rights to perform the operation". Upon further investigation, I found that these users where given elevated privileges some point in time. Doing so removed the inherit permission from the parent object. Fixing this resolved the issue. To give this permission:

1. Double click on the user with the issue and select the "Security" tab (if this tab is not visible, right click on the users folder on the left pane and select "View" and select the "Advanced Features" option.
2. On the "Security" tab click on the "Advanced" button
3. Check the "Include Inheritable permission from this object's parent" check box
4. Close all the dialogs by clicking "Ok" button twice
5. Repeat steps 1 through 4 for all users with this issue

Next time the user profile is synchronized the data will be updated to AD.

• Edited by zmagicx Tuesday, April 16, 2013 12:13 PM
• Proposed as answer by kevdines Thursday, May 08, 2014 12:54 PM

Unsupported

I have a similar problem.

zmagicx's solution worked for one of my users, but other still didn't sync. 

I then followed Guru's solution for another user but nothing updated.  I can see the photo in the user profile as well as with the first SQL script of Guru. 

I went into ADSI Edit to view the properties for this user and the thumbnailPhoto property was empty.  I decided to enter a value and save.  I ran a full sync again and the property was empty again.  I then checked for errors in DS_Export in Forefront Identity Manager client and found that there was one update.  It updated this user with an empty value. 

Why would this be?

Have you had a the answer to this specific question ?

I have the same issue. The picture from SharePoint will be added in AD the first time, but then, if AD has a picture and the picture is changed in SharePoint, then the change is not shynch into AD. It is like FIM has some cache and do not see the change.

Any help would be great.

Thanks,

Happouh