Associate user picture to domain account

group-policywindows-server-2012-r2

I want to assign users a picture (o let them assign their own picture) to their user domain account and wherever they log in, that picture should appear as well.

How can I do this using group policy?

All my clients are at least Windows 7 and the server is a Windows Server 2012 R2 with the forest level set to Windows Server 2012 R2.

Best Answer

You could theoretically do this easily with the Files section of Group Policy Preferences. In Windows 7, information about user account pictures is stored in %ProgramData%\Microsoft\User Account Pictures. Each user has a .DAT binary file that contains the path and information about a picture that has been set.

You could set a user's picture, making sure to store it on a network location so it would be accessible from any system. Then, simply make a copy of the .DAT file, throw it on a network share, and make a GPP Files entry to push it to every computer.

Users wouldn't be able to set their own picture without assistance, but after they did it the first time, it would follow them around.

Related Solutions

windows – Granting Service Permissions to Users on Non-Domain Servers

There doesn't appear to be a GUI-based way of doing this unless you're joined to a domain - at least not one I could find anywhere - so I did a bit more digging and I've found an answer that works for our situation.

I didn't understand what the string representation meant in the knowledge base article, but doing a bit of digging led me to discover that it's SDDL syntax. Further digging led me to this article by Alun Jones which explains how to get the security descriptor for a service and what each bit means. MS KB914392 has more details.

To append to the service's existing security descriptor, use sc sdshow "Service Name" to get the existing descriptor. If this is a plain old .NET Windows Service - as is the case with ours - the security descriptor should look something like this:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOC
RRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA
;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

We needed to grant permissions RP (to start the service), WP (to stop the service), DT (to pause/continue the service) and LO (to query the service's current status). This could be done by adding our service account to the Power Users group, but I only want to grant individual access to the account under which the maintenance service runs.

Using runas to open a command prompt under the service account, I ran whoami /all which gave me the SID of the service account, and then constructed the additional SDDL below:

(A;;RPWPDTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)

This then gets added to the D: section of the SDDL string above:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOC
RRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;RPWP
DTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)S:(AU;FA;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;WD)

This is then applied to the service using the sc sdset command (before the S: text):

sc sdset "Service Name" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;
CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU
)(A;;RPWPDTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)S:(AU;FA;CCDCLCSW
RPWPDTLOCRSDRCWDWO;;;WD)

If all goes according to plan, the service can then be started, stopped, paused and have it's status queried by the user defined by the SID above.

How to apply proxy settings per computer instead of per user

I think what that means is the Internet Explorer zones, and how the proxy bypass settings apply to the local intranet zone. This article explains it in more detail than should be gone into here, but essentially every website is classified into a zone so that the various security settings can be adjusted. By default the proxy bypass list is automatically included in the Local Intranet zone.

EDIT: To answer your question directly - Drawing from the information above, you cannot and do not need to configure proxy settings per-zone. However, your users might choose to exclude a URI from being proxyed, hence adding it to the Local Intranet zone.

For the proxy configuration, I seem to remember having quite a bit of success with the IE Maintenance feature in Group Policy, which incidentally has now been superseded in 2012 by GPP. Unfortunately because of that I can't share my own how-to because I haven't got the relevant server edition in my test environment. Below are a couple of solutions (of which you may already be aware), it's up to you to decide which is most suitable to your organisation:

The Internet Explorer Maintenance Extension: Microsoft advise against using this if you want to enforce the proxy settings, but I'm sure I've had trouble using the alternative. Also this is only applied on a user level.
Internet Explorer Administration Kit 8/9: Maybe a bit overkill just for configuring a proxy, but worth knowing about.

Unfortunately, I don't think there is a way to set proxy on a computer level using Group Policy. However, as you say in your own answer restricting changes to that section of the control panel is the usual practise to stop changed to proxy. Perhaps, better still, you could use an auto-configuration script.

Best Answer

Related Solutions

windows – Granting Service Permissions to Users on Non-Domain Servers

How to apply proxy settings per computer instead of per user

Related Topic