I’ve been working on implementing Windows 10 at a company.
They wanted to import a photo of all the users to the Active Directory, and have all the other systems pull the pictures from it. I primarily focused on Windows clients, Lync and SharePoint.


Our goal is to have Windows 8 and 10 clients pull the pictures from Active Directory to the users local profiles.

1. Importing the pictures to Active Directory

Now there are several approaches for this. Getting the pictures into AD I prefer using PowerShell.
If you’re more into GUI style I can recommend this AD Photo Edit.

2. Create the required scripts

You need a (startup) script to download the data from Active Directory and convert them to JPEG-files.
The script then proceeds to set these images as your local users profile picture/tile.

The PowerShell-script I’m using was originally written by Jordan. I modified it for better functionality and to make it work better with Windows 10.

To make this script run hidden I resolved to creating a VBs wrapper that would silently execute the script

Now put both these scripts in your NETLOGON-folder (ie. \\domain.local\NETLOGON).

3. Setting up the GPO

Open the Group Policy Management Console and create a new GPO. Lets call it “Pictures”.

Edit it and go to

Computer Configuration > Policies > Windows Settings > Security Settings > Registry

Right Click on Registry and select Add Key. Then Add the Key:


Give Full Permission on this key (and sub keys) to <Domain>\Users.
Also make sure you have selected Replace Existing permission on all sub keys with inheritable permissions. Otherwise the script will not be able to update the necessary registry values.

4. Setting up the Task schedule

To run the function there are a couple of different approaches. You could either execute it from the “Logon Scripts” function in a Group policy or via Task Scheduler for example. Since you probably know how to set up a logon script, I’ll demo how to set up a scheduled job…

In the same Group Policy object as above, go to:

User Configuration > Preferences > Control Panel Settings > Scheduled Tasks

Right Click and select New Sheduled Task (At lest Windows 7) option.

Under the General tab Set Name as: Set-ADPicture

Under the General tab, set name to: Set-ADPicture

Under the Triggers tab, create a new trigger and select Begin the task: At Login, Any User

Under the Actions tab:
Create New Action Select Action “Start Program”.
From Program Script Option.
Select the VBs-script from NETLOGON.

Under the Conditions tab:
I prefer to enable Start only if the following network connection in available to make sure it does not waste resources if disconnected from the network.

5. Target the GPO

All the settings are now set. Go back to the Group Policy console and create your target links to the proper OUs.

Please let me know if I’ve missed something or if its not working for you.