Configure SharePoint 2010 to Export Profile Pictures to AD

Summary

Prerequisites
  • Permissions in AD
    • The connection account requires the following permissions in AD DS.
    • The connection account must have Replicate Directory Changes permissions on the domain. For more information, see the Grant Replicate Directory Changes permission on a domain section of the "Grant Active Directory Domain Services permissions for profile synchronization" procedural reference article.
    • When exporting property values from SharePoint Server to AD DS, the synchronization account must have Create Child Objects on this object and all descendants and Write All Properties on this object and all descendants permission on the organizational unit (OU) that is being synchronized with SharePoint 2010.For more information, see the Grant Create Child Objects and Write permission section of the "Grant Active Directory Domain Services permissions for profile synchronization" procedural reference article.
  • Permissions in SharePoint 2010
    • The account for the User Profile Synchronization Service (not the connection account) requires local administrator rights on the SharePoint server running the synchronization service.

User Profile Application Configuration

The information in the article is written with the presumption that the following configuration is true



User Profile Service Application has been provisioned. 

User Profile Service Application has been started. 

User Profile Synchronization Service has been started.

  • In Central Administration go to Application Management | Manage Service Applications | User Profile Application
  • Select Manage User Properties

Manage User Properties

  • Select the 'Picture' property and choose edit in the drop down menu. 


Picture Property





  •  Add a new mapping for the picture property with the following information 
    • Source Data Connection: <AD DS Connection>
    • Attribute: thumbnailPhoto
    • Direction: Export


    Data Connections Settings


  • Click Add.

Export Picture Property



More Information


Troubleshooting Information


The most common issue with profile picture export is the SharePoint Server running profile synchronization is not able to request the profile picture from the my site web application.


IIS logs Entry for a successful request to get the picture. Notice that the large thumbnail is retrieved.

2012-11-15 19:02:28 10.10.227.24 GET /User+Photos/Profile+Pictures/CONTOSO_danj_LThumb.jpg - 80 - 10.10.227.24 - 401 0 0 5

2012-11-15 19:02:28 10.10.227.24 GET /User+Photos/Profile+Pictures/CONTOSO_danj_LThumb.jpg - 80 - 10.10.227.24 - 401 1 2148074254 2

2012-11-15 19:02:28 10.10.227.24 GET /User+Photos/Profile+Pictures/CONTOSO_danj_LThumb.jpg - 80 0#.w|contoso\spsvc 10.10.227.24 - 200 0 0 20


Permissions on the AD object is another common scenario that will cause the picture not to be exported to AD.

In the MIIS Client on the Operations tab review the run history. The profile picture is exported to AD in the DS_EXPORT step. If the DS_EXPORT steps has a status of completed-export-errors, review the export errors. The most common scenario is that the connection account for the AD connection doesn't have the correct permissions to the object in AD. Follow the prerequisite steps to give the appropriate permissions on the object in AD.

Propiedades

Id. de artículo: 2784927 - Última revisión: 3 dic. 2012 - Revisión: 1

Comentarios