We have uploaded authorized company photos to Active Directory (thumbnailPhoto attribute). However, some of our users have uploaded their own photos in Outlook 2013. While I still believe that the AD photos are the authorized ones that we have uploaded (they have not been overwritten by the users' unauthorized photos), when emailing these users, their unauthorized photo is displayed. This is causing consternation in our HR department.

Is there any way to force Outlook to use the AD photos instead of the users' unauthorized ones? Internet searches have turned up information on forcing this in Lync, but I can't find any information on how to do it in Exchange 2013.

Hi PDX,

Thank you for your question.

We should disable it in ECP and OWA.

Within ECP, when we change picture in outlook, we must login ECP,so we should disable it in ECP by the following steps:

1.        Log in to the EAC using https://<server>/ecp as a user that has rights to modify user roles.
2.        Navigate to the Permissions section then to user roles. You will find the Default Role Assignment Policy. Once the policy is highlighted, click the pencil to edit this policy.
3.        nder Contact Information, uncheck the box in front of MyContactInformation and then check the boxes for MyAddressInformation and MyMobileInformation. Then Click Save

Within OWA, we disable change by running the following command on Exchange 2013 CAS server:

Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -SetPhotoEnabled $False

Then, we should run the following command to restart IIS to make it work:

IISReset /NoForce

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Jim,

I'm sorry it has taken a few days to get back to you. Your answer looks very promising, so I performed the tasks you outlined. When it didn't work right away, I decided to wait for a maintenance window so that I could reboot (not just perform an iisreset) on the Client Access Server. I tested it this morning after the reboot, and am discouraged to find that I can still upload photos as a non-privileged user using OWA that supersede the thumbnailPhoto attribute in AD.

The only difference between your instructions and the tasks I performed is that I had to prepend the Identity parameter on the Exchange console command with the name of the Client Access server--otherwise the command gave an error. Here's what I used:

Set-OwaVirtualDirectory -Identity "<client_access_server>\owa (Default Web Site)" -SetPhotoEnabled $False

I have also verified that the Default Role Assignment Policy (which is the only user role policy in our environment) in EAC has MyContactInformation unchecked, MyAddressInformation checked, MyMobileInformation checked and MyPersonalInformation unchecked.

Can you think of anything I may have missed?

Thanks,

PDX_BenS