I was going through the web on how to limit access for thumbnailPhoto AD attribute but I could only find how to grant access or enable the attribute so I had to dig in by myself a bit.
Why to limit access?
First of all you have no control over what users are uploading as their photos. It can be someone else's photo (model, actor etc.), or someone else's from the same company, it can be even animal or a thing like a car or whatever. Then it can be something against your company's policy or even against the law like some racist pictures or child pornography or even worse. You don't want that.
Second of all your AD database will grow with each picture and keeping in mind that AD is for identity and access management you want to keep it working as effective as you can. Gigabytes of pictures replicating through the network don't help in that. You will have to think of bigger HDDs for your servers as well.
What options are there?
There are two ways basically - you can limit access for uploading photos and if necessary grant the access for a desired group of people or limit the maximum allowed size of picture that can be uploaded to AD.
How to do it?
For limiting access you will need to have Domain Admin access for your account or lower access level dependably on container you will apply the changes to.
You can go to the core of the domain in ADUC (or any OU), right click and go to properties, then Security tab. From there click on Advanced. In the Advanced window click Add. Type in Everyone as an object name and click OK. In the next window go to Properties tab and from the drop-down list choose User objects or Descendant User objects (dependable on the container you are editing). Then scroll down almost to the very bottom to find Write thumbnailPhoto and check Deny box. Click OK. Now nobody can add a photo to AD. You may want to pick SELF instead of Everyone so then nobody can upload pictures for themselves but then a specified group of people (HR or whatever) can do that for everyone.
To change the maximum allowed picture size (by default it's 100KB) you must be a Schema Admins member.
Go to the server that holds Schema Master role, open ADSI Edit, connect to the Schema tree, scroll down to CN=Picture, right click and click on Properties. In the Attribute Editor tab go down to rangeUpper and change it to desired value in Bytes. As a workaround of the above method you can set up this value to 1 Byte.
No comments:
Post a Comment