Storing Photos in Active Directory - jpegPhoto attribute - User class

Has anyone tried this in VB .NET or via VBScript? Can it be done? How
do we handle retrieving a binary data format (the photo) using ADSI or
VB .NET? All my searching on the net yielded no useful results except
for a half completed Perl script which claimed to be able to upload and
download photos stored in AD as part of the User account.

Joe
Wed Jul 21 13:53:05 CDT 2004

It is pretty easy to do in .NET. Not as easy in VBScript.

Essentially, you just read the data you want into a byte array (from a
filestream or something). Then, bind to the object with the DirectoryEntry
class and call the Add method on the PropertyValueCollection for that
attribute with the byte array. Then call CommitChanges. Download would be
basically just the opposite.

I believe Matjaz Ladava posted a sample showing how to do this in .NET in
one of the MS newsgroups that you could find with a Google search pretty
easily.

Joe K.


"netcoder77" <netcoder77-msnews@yahoo.com> wrote in message
news:OquBii0bEHA.2972@TK2MSFTNGP12.phx.gbl...
> Has anyone tried this in VB .NET or via VBScript? Can it be done? How
> do we handle retrieving a binary data format (the photo) using ADSI or
> VB .NET? All my searching on the net yielded no useful results except
> for a half completed Perl script which claimed to be able to upload and
> download photos stored in AD as part of the User account.

Net
Thu Jul 22 06:02:13 CDT 2004

Joe Kaplan (MVP - ADSI) wrote:
> It is pretty easy to do in .NET. Not as easy in VBScript.
>
> Essentially, you just read the data you want into a byte array (from a
> filestream or something). Then, bind to the object with the DirectoryEntry
> class and call the Add method on the PropertyValueCollection for that
> attribute with the byte array. Then call CommitChanges. Download would be
> basically just the opposite.
Sounds straightforwards enough, don't know why I thought it was more
complicated than it sounds. I'll have to try it out.

> I believe Matjaz Ladava posted a sample showing how to do this in .NET in
> one of the MS newsgroups that you could find with a Google search pretty
> easily.
Thanks for that information. I'll now search for the author's name.
Thanks for your suggestions.

On a different note, does anyone know if there would be any problems
with storing large number of jpeg images in the user object as part of
AD? How is replication affected? And caveats?

>
> Joe K.
>
>
> "netcoder77" <netcoder77-msnews@yahoo.com> wrote in message
> news:OquBii0bEHA.2972@TK2MSFTNGP12.phx.gbl...
>
>>Has anyone tried this in VB .NET or via VBScript? Can it be done? How
>>do we handle retrieving a binary data format (the photo) using ADSI or
>>VB .NET? All my searching on the net yielded no useful results except
>>for a half completed Perl script which claimed to be able to upload and
>>download photos stored in AD as part of the User account.
>
>
>

Joe
Thu Jul 22 09:21:50 CDT 2004

On the activedir.org mailing list, there was a discussion about this a few
months ago. Depending on the size of the objects, this may or may not be a
problem with replication. That tends to be very sensitive to your actual
deployment and how often they change (probably not very often I assume).
You might want to add them to the directory slowly if you are worried and
try to keep the sizes down.

However, one thing to consider is that by default, users have rights to
modify this property directly with their own account AND the attribute has
no max size. As such, it could be used maliciously by some users as a DoS
attack on your DC if they decided to upload their swap file or something
similarly large. You might want to think carefully about allowing users
rights to modify this attribute directly.

Joe K.

"Net Coder" <netcoder77-msnews@yahoo.com> wrote in message
news:%23mTgiv9bEHA.1764@TK2MSFTNGP10.phx.gbl...
> Joe Kaplan (MVP - ADSI) wrote:
> > It is pretty easy to do in .NET. Not as easy in VBScript.
> >
> > Essentially, you just read the data you want into a byte array (from a
> > filestream or something). Then, bind to the object with the
DirectoryEntry
> > class and call the Add method on the PropertyValueCollection for that
> > attribute with the byte array. Then call CommitChanges. Download would
be
> > basically just the opposite.
> Sounds straightforwards enough, don't know why I thought it was more
> complicated than it sounds. I'll have to try it out.
>
> > I believe Matjaz Ladava posted a sample showing how to do this in .NET
in
> > one of the MS newsgroups that you could find with a Google search pretty
> > easily.
> Thanks for that information. I'll now search for the author's name.
> Thanks for your suggestions.
>
> On a different note, does anyone know if there would be any problems
> with storing large number of jpeg images in the user object as part of
> AD? How is replication affected? And caveats?
>
> >
> > Joe K.
> >
> >
> > "netcoder77" <netcoder77-msnews@yahoo.com> wrote in message
> > news:OquBii0bEHA.2972@TK2MSFTNGP12.phx.gbl...
> >
> >>Has anyone tried this in VB .NET or via VBScript? Can it be done? How
> >>do we handle retrieving a binary data format (the photo) using ADSI or
> >>VB .NET? All my searching on the net yielded no useful results except
> >>for a half completed Perl script which claimed to be able to upload and
> >>download photos stored in AD as part of the User account.
> >
> >
> >

Net
Sat Jul 24 13:24:50 CDT 2004

Joe Kaplan (MVP - ADSI) wrote:
> On the activedir.org mailing list, there was a discussion about this a few
> months ago. Depending on the size of the objects, this may or may not be a
> problem with replication. That tends to be very sensitive to your actual
> deployment and how often they change (probably not very often I assume).
> You might want to add them to the directory slowly if you are worried and
> try to keep the sizes down.
> However, one thing to consider is that by default, users have rights to
> modify this property directly with their own account AND the attribute has
> no max size. As such, it could be used maliciously by some users as a DoS
> attack on your DC if they decided to upload their swap file or something
> similarly large. You might want to think carefully about allowing users
> rights to modify this attribute directly.

Hmm. The object does not have maximum or minimum size set but the ACL
on a W2K3 AD server in native mode doesn't seem to allow SELF write to
the jpegPhoto attribute/property, or am I missing something?

Joe
Sat Jul 24 17:59:44 CDT 2004

Sorry, I misled you a little bit. The attribute I was thinking of is the
thumbnailPhoto attribute which is a Win2K attribute with the same syntax and
size limitations. It is in the Personal-Information control access right,
so users do generally have rights to write to it. jpegPhoto is new for 2K3
and is not in the Personal-Information CAR. I'm still not that used to 2K3
schema.

So, the warning still applies to thumbnailPhoto in terms of security/DoS,
but not to jpegPhoto.

Joe K.

"Net Coder" <netcoder77-msnews@yahoo.com> wrote in message
news:OxlSNwacEHA.2352@TK2MSFTNGP09.phx.gbl...
> Joe Kaplan (MVP - ADSI) wrote:
> > On the activedir.org mailing list, there was a discussion about this a
few
> > months ago. Depending on the size of the objects, this may or may not
be a
> > problem with replication. That tends to be very sensitive to your
actual
> > deployment and how often they change (probably not very often I assume).
> > You might want to add them to the directory slowly if you are worried
and
> > try to keep the sizes down.
> > However, one thing to consider is that by default, users have rights to
> > modify this property directly with their own account AND the attribute
has
> > no max size. As such, it could be used maliciously by some users as a
DoS
> > attack on your DC if they decided to upload their swap file or something
> > similarly large. You might want to think carefully about allowing users
> > rights to modify this attribute directly.
>
> Hmm. The object does not have maximum or minimum size set but the ACL
> on a W2K3 AD server in native mode doesn't seem to allow SELF write to
> the jpegPhoto attribute/property, or am I missing something?