Active Directory User Photos on Linux

---

I’ve written a neat little script for synchronizing the local user profile picture (also known as “face”) on domain joined Linux workstations from Active Directory (thumbnailPhoto user attribute).

It should work on all GNOME based systems and probably on other desktop environments aswell which utilize the AccountsService.

The update_face_from_ad script is available on the GitHub Gist and on my website.

It can be combined with Systemd to make the picture update on user logon and/or periodically with a Systemd timer (while the user session is running).

Usage manually

The script requires the ldapsearch and file commands to be available and it can be executed manually with user privileges.

NOTE: You’ll need to adjust the LDAP variables from the script or provide them as environment variables like shown.

$ export LDAP_URI='ldaps://dc01.contoso.com:636'
$ export LDAP_BASE='DC=contoso,DC=com'

$ ./update_face_from_ad.sh
Successfully updated local profile picture for user "santeri"!

$ ./update_face_from_ad.sh
Local profile picture for user "santeri" is already up-to-date!

Usage with Systemd

You can also create a Systemd user service and timer to automatically synchronize the user profile picture.

Save the script to /usr/local/bin/update_face_from_ad and make it executable (sudo chmod +x /usr/local/bin/update_face_from_ad).

Example user service - /etc/systemd/user/update-face-from-ad.service:

[Unit]
Description=Update user profile picture from Active Directory

[Service]
Type=simple
# Environment variables for ldapsearch
Environment="LDAP_URI=ldaps://dc01.contoso.com:636"
Environment="LDAP_BASE=DC=contoso,DC=com"
# Wait 15 minutes to allow time for the user to connect to the company network.
ExecStartPre=/bin/sleep 900
ExecStart=/usr/local/bin/update_face_from_ad

[Install]
WantedBy=default.target

Example user timer - /etc/systemd/user/update-face-from-ad.timer:

[Unit]
Description=Update user profile picture from Active Directory at 12:00 PM

[Timer]
OnCalendar=*-*-* 12:00:00
Persistent=false

[Install]
WantedBy=timers.target

Reload the Systemd daemon after creating the unit files.

$ sudo systemctl daemon-reload
$ systemctl --user daemon-reload

Enable the service to make the profile picture automatically update 15 minutes after login.

$ systemctl --user enable update-face-from-ad.service
Created symlink ...

Enable & start the timer to additionally update the profile picture daily at 12:00 PM.

$ systemctl --user enable --now update-face-from-ad.timer
Created symlink ...

More information

• https://learn.microsoft.com/en-us/windows/win32/adschema/a-thumbnailphoto
• https://learn.microsoft.com/en-us/answers/questions/353218/how-to-use-active-directory-user-photos-as-account