Category Archives: Active Directory

Get/Set Active Directory Photos by using PowerShell

Hello everyone. Today a colleague asked me if I know of a simple way to get user pictures from Active Directory. Of course I do and I will show you how you can get and set pictures in Active Directory by using PowerShell.

Important: The following scripts require Remote Server Administration Tools to be installed on your computer if you do not run them on a Domain Controller.

To get pictures from a user in Active Directory simply run the script below and provide a UserName and a Path (For example: C:\example.jpg) where the picture should be stored:

Param([parameter(Mandatory=$true)][alias("User")]$UserName, [parameter(Mandatory=$true)][alias("Picture")]$PicturePath)

Import-Module ActiveDirectory

$user = Get-ADUser $UserName -Properties thumbnailPhoto
$user.thumbnailPhoto | Set-Content $PicturePath -Encoding byte

To update a users photo simply run the script below and provide a UserName and Path of the new picture:

Param([parameter(Mandatory=$true)][alias("User")]$UserName, [parameter(Mandatory=$true)][alias("Picture")]$PicturePath)

Import-Module ActiveDirectory

$photo = [byte[]](Get-Content $PicturePath -Encoding byte)
Set-ADUser $UserName -Replace @{thumbnailPhoto=$photo}

That´s it. You can get/set pictures in Active Directory as simple as this.

As always you can download my scripts from here.



Tagged ,

Group Policy – Use Regional Settings to change Date Format

Hello everyone. Today I want to share some knowledge with you which might be useful if you need to change the regional settings of your customers. Today I had the requirement to change the American Date format (MM/dd/yyyy) to the ISO8601 format (yyyy-MM-dd).

Configure Group Policy

First open Group Policy Management and go to User Configuration -> Preferences -> Control Panel Settings -> Regional Options.


Next right click on the area and choose New -> Regional Options.

Now go to Date and set the following values:

  • Short date format: yyyy-MM-dd
  • Date separator:


Now the important part: Go through all tabs and press F5. You will notice that all red lines will change into green lines.


Now go to the Common tab and click on OK.

It is important to go through all tabs and to press F5 otherwise the settings will not apply. I do not know why but I found this solution here.

Apply the settings to your Clients

To apply the settings simply do the following things:

  • Restart your Client machine


Run cmd as Administrator and run the following command:

gpupdate /force

After the command executed successfully you need to Log off and Log on again on your Client machine to apply the settings.

The result will look like this:


That´s it. You have successfully changed the date format.

I wanted to share this information since I wasted quite some time searching for a solution why my settings would not apply. I hope this post is useful for you. See you next time.



Restrict old Internet Explorer Versions

Hello everyone. Today I´m going to show you how to use AppLocker to block old versions of Internet Explorer from Execution. The requirement I had to fulfill was to make sure that Internet Explorer versions below 9 will not be able to run. Here is how you can do this:

Open up your Group Policy Management Editor.


Now go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> System Services and look for the service Application Identity. This service is needed to identify your application. When this service is not running your Allow and Deny rules will not apply.


Select Automatic to start this service automatically when the system is started.


Next go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker -> Executable Rules.


Now click on Create New Rule…


This will open up a wizard. The first thing you need to do is to choose Deny and leave Everyone filled in in the text box (Because we want to deny everyone the right to start old Internet Explorer versions).


Next choose Publisher.


Now click on Browse… and go to C:\Program Files\Internet Explorer and choose iexplore.exe. (By the way: You can also go to C:\Program Files (x86)\Internet Explorer and choose iexplore.exe. It does not matter. The rule we are defining will block the 32bit version as well as the 64bit version from Execution.)

Next check Use custom values and go to File version: enter into the text box and choose And below.


On the next page you have the choice to add Exceptions if you want to add some. But we will simply add none and click on Next.


Now you can enter a Name and a Description for your Rule.


Now your Rule is finished. If you are asked if you want to create the Default rules click on Yes.


If a user with a Internet Explorer version below 9 wants to start it he/she will receive the following error message:


A user with a higher Internet Explorer version will see no difference at all as you can see:



Well that´s it. Pretty simple, right? This way you can prevent security issues caused by old Internet Explorer versions. I hope my post was useful for you. See you next time.


Tagged ,

Active Directory Search for Clients

Hello everyone. Today I discovered that there is a way to give non-admin users the possibility to search the Active Directory for information. It is pretty simple. All you need to do is to create this Shortcut on your users Desktops :

%SystemRoot%\System32\rundll32.exe dsquery,OpenQueryWindow

That´s it. That is all you need to do to make it work.

If you want to publish this Shortcut to a larger group of people you might consider using Group Policies.

The first step is to create a new Shortcut item. I called mine “Active Directory Search”.


Then I applied the following settings:

  • Target path: %SystemRoot%\System32\rundll32.exe
  • Arguments: dsquery,OpenQueryWindow
  • Location: Desktop


I would also recommend to apply the setting “Remove this item when it is no longer applied” to make sure the Shortcut will be removed when you want to retract this solution.


If you configured everything correctly your Shortcut will appear on your users Desktops.


Now every time your users use this Shortcut this window will open allowing them to search your Active Directory.


Here is a screenshot of an example search:


Info: Don´t worry about users editing your Active Directory system. If they do not have the appropriate permissions to change things they will only be able to read information.

That´s it for today. I hope my post was useful for you.