Removing permission for users to upload their image to AD



I recently had the pleasure to help one of our Premier customers with a query they have regarding saving images in Active Directory.

Default Permission in AD

By default, users have permission to save a jpeg or bmp file to their own AD user account. This file can be up to 100KB in size. In a large AD with hundreds of thousands of users, this could quickly increase the size of the AD database. The increase in size can increase backup times, increase the backup size and slow down restores.

This permission is granted via the constructed security principal, “SELF”.

“SELF” is given permission to a set of attributes, not to the individual attributes themselves. By combining attributes into groups of common attributes, you reduce the size of the ACL entry. These groups are called Permission Sets. The attributes which relate to images are:

  • Picture (aka thumbnailPhoto)
  • jpegPhoto

The attribute Picture is in a Permission Set called Personal-Information. You can see the permission is applied to all users like this:


Control the Permission

They wanted to take away the permission for SELF to be able to write to the Picture attribute, but this shouldn’t be a high-level deny for Everyone to write to this attribute. It could be that some users somewhere at sometime need to write to this attribute.

What I suggested they do was de-couple the Picture attribute from the Property-Set called Personal-Information. Then apply an explicit permission to the root of the domain for a group which has write access to this attribute instead.

But how do you link (and therefore unlink) an attribute to a Property-Set?

The property sets are not found in the schema, but instead are found in the Configuration partition, under Extended-Rights.

Each of the Property Sets has an attribute identifying it, called rightsGuid. This GUID is used to pull in attributes as members of the property set by specifying the same GUID in the attribute of the attribute called attributeSecurityGUID. If these 2 GUIDs are the same, then the attribute will be a member of the Property Set. By removing the attributeSecurityGUID entry on the Picture attribute, it is no longer a member of the Personal-Information Property Set. And the SELF will lose permission to write to this attribute.

While this sounds very complicated, here’s a simple picture to explain it all:


The object on the left “CN=Personal-Information” is the property set. The object on the right “CN=Picture” is the attribute in the schema. It’s lDAPDisplayName is thumbnailPhoto. The attributes of these objects, rightsGuid and attributeSecurityGUID have the same value, a matching GUID.

Remove the GUID

When you remove the attributeSecurityGUID, open the attribute and click the button on the bottom left called “Clear”, as shown below:


Notice also that the text in the attribute editor isn’t the same as the text you see in the window behind. The characters appear as pairs and the pairs in the blocks have been switched around.

Undoing the Change

In order to restore the GUID if you change your mind, you need to copy the same form of the GUID from another attribute. I chose Post-Code as this is also in the Personal Information Permission Set.


I hope this helps someone else to delegate their Active Directory if needed.