Getting Pictures and other Contact Info Into Outlook, AD, SharePoint, Exchange, OC 2010

One of the new features in Outlook 2010 is the ability to add a picture of your contacts into their contact record.  You can also add a picture to your SharePoint MySite profile and see pictures of others.  And with Communications Server 2010 coming out, it too has the ability of showing pictures of the individuals you are communicating with.

You can manually add a photo into Outlook, SharePoint, Active Directory, and others, or you can add just ONE photo and have it synchronized across all of the various applications (which I’m sure you’ll find to be an easier and smarter thing to do something once and have it updated in all of the places that uses the pictures).

In this article, I’m going to show you the steps to add a photo manually in Outlook 2010 (which I know many readers will want the quick and simple way of just adding a picture to a contact in Outlook) and for you IT Pros working in the datacenter, I’ll give a much more extensive step by step guide on how to configure photo replication for all of your apps.

Adding a Picture and other Contact Info Just to Outlook 2010 Contacts

This is the simple method for those of you who have Outlook 2010 and want to add a photo to one of your contacts.  When you receive an email from an individual, right-click on email name of the incoming message recipient and choose “Add to Outlook Contacts”: 

With the new contact open, click on “Picture” on the top ribbon bar and choose “Add Picture” 

Browser your system for a saved picture of the person and click “Open” to select the picture:

You can fill in other fields like Company name, address, phone#, mobile#, etc of the individual.  Choose “Save and Close” when you are done.

Now you’ll find when you open an email or create an email with this individual, their picture will appear in the email, bottom of the email, etc:

 Adding Pictures and other Contact Info to Active Directory to Synchronize Across all Microsoft 2010 Apps

This is the more complicated / IT Pro / server backend method of getting pictures into Active Directory so that the same picture (as well as other information like address, phone#, title, manager’s name, etc) are populated and replicated throughout Active Directory.  This will ensure that a phone# that shows up on a person’s MySite in SharePoint is the same phone# that is in Outlook contacts.  So this goes beyond just having a picture show up, but actual company / business information that is synchronized and made consistent across all of the Microsoft 2010 applications (ie: Exchange 2010, SharePoint 2010, Outlook 2010, Communication Server 2010, etc)

Assumptions I’m making as part of this step by step guide:

• You have Microsoft Active Directory 2003 Native Mode (or higher) in your environment

• Your email is Exchange 2010 (standard or enterprise doesn’t matter)

• You are running SharePoint 2010 (standard or enterprise, doesn’t matter)

• You are running Outlook 2010 as your client (professional, enterprise, doesn’t matter)

• Optionally you are running Communication Server 2010 (aka OCS 14) with the Communicator 14 client

You “can” still put photos into Active Directory and view them with Outlook 2010 even if you have Exchange 2003 or Exchange 2007, and you can import photos right into Active Directory and not even have SharePoint in your environment.  You can even have Novell eDirectory or SunOne instead of Active Directory to get photos working, but for this doc, I’m focusing on a Microsoft-centric environment with the latest “stuff” where the configuration and synchronization is pretty straight forward and the tools are all “in the box”.  I have links to other articles that can provide you steps for getting photos and synchronization of other information for other platforms at the end of this article for those interested in other articles, links, or background info.

Note: When building my SharePoint 2010 environment for User Profile Synchronization, I built the server using Windows Server 2008 SP2 (not Windows 2008 R2) as I had a lot of problems getting all of the security tokens and configurations working properly in R2 (LOTS of known bug fixes to get Windows 2008 R2 working for SharePoint 2010), so I simplified my process and used Windows 2008 SP2 as my base operating system.  With Windows 2008 SP2 under SharePoint 2010 for this User Profile Sync server, all of the steps worked as expected.

Contact Attribute Synchronization Background

The premise of this “synchronization” of phone#, address, titles, pictures and the like starts with a synchronization of content between Sharepoint 2010 MySites and Active Directory.  You would think that Active Directory is all authoritative and everything grabs stuff out of AD, however there’s no field in AD Sites and Services for you to upload a picture, so that’s where Sharepoint 2010 comes in.  For attributes like pictures that need a method to import the info into AD, you can add the information to your MySite in Sharepoint, and the information goes from SharePoint into AD.  Once in Active Directory, the information can then be accessed from Exchange, Outlook, Communication Server, and the like.

However, attributes that may have already been added to Active Directory, like phone#, titles, or the like, you’d want those attributes to replicate FROM Active Directory TO Sharepoint so that the user does not have to populate their “MySite” with that information, it’ll already be added.

This “synchronization” between AD and SharePoint MySites is how information gets back and forth between those two applications and is driven by a feature in SharePoint called the “User Profile Synchronization Application”.  Because users can now “change” their own information in their MySite, rather than having someone with Active Directory rights change mobile# and other user-centric contact information in Active Directory, users can change their own information in MySites and have that populated to Active Directory.  Some stuff like title or management hierarchy, the organization may still want to control that information from the AD side and push that down to SharePoint as read-only to users.  In any case, you now have options and can pick/choose the fields you want to be authoritative.

Once information is in Active Directory, then Exchange 2010 and Communication Server 2010 have server components that grab the information and brings the information into those applications (YES, the information is “replicated” down to Exchange and Communication Server, so there would be 4 separate copies of a picture thumbnail, phone#s, address info, etc on the various apps (AD, Exchange, Sharepoint, and OC).  It’s just a picture thumbnail and all of the information is compressed, so even for really large enterprises, the information is only a couple megabytes TOTAL for the entire organization, and attributes are synchronized individually starting with AD/2003 R2, so incremental syncs are small.

Outlook 2010 and Communicator 2010 users see the various picture / address / contact info information as an “address book” query.  So effectively, info in AD goes to Exchange in the Offline Address Book (OAB), and the Outlook client downloads / accesses the Offline Address Book that retains the pictures, contact info, etc.

Step 1: Determining Which Attribute Synchronize from Where to Where

The first step is determine what information (address, mobile#, phone#, title, picture, etc) you want to synchronize from Active Directory to Sharepoint MySites, and from Sharepoint Mysites to Active Directory.  For a list of attributes, do the following: 

1.  Go to Sharepoint 2010’s “Central Administration” (Start | All Programs | Microsoft Sharepoint 2010 Products | SharePoint 2010 Central Administration)

2.  Select “Manage Service Applications” (which is under the Application Management section)

3.  Highlight “User Profile Service Application” (usually click to the “side” of the words because if you click on the words, you’ll follow the link.  All you want to do is highlight the User Profile Service Application line).  When highlighted, click “Manage” in the Ribbon toolbar

4.  Click on “Manage User Properties”.  You will see a list of attributes and their mappings.  Most (like title, work#, manager) have already been defined, so when the sync service is kicked off, that information will automatically come down from AD to SharePoint.  Some attributes have not been defined yet, like the Picture attribute.  That needs to be configured and will be configured in Step 4 of this guide.  To view the sync attributes, to the right of the attribute, a “down arrow” appears and you can choose “edit” to edit the attribute configuration.  Again, this will be done in Step 4, but for now, just view the configurations

This is just a planning step to determine which attributes you want to use and which direction you want to replicate the information

Step 2:  Populate “Some” Information

Now that you’ve had a look at the various attributes, populate some information in Active Directory (like Manager’s name, title, office phone#, mobile#, etc) and go into Sharepoint and add in pictures.  Just do this for a “couple” users for a test (and can I suggest you create 2 dummy AD accounts and populate the information so that if something gets screwed up, you’re not corrupting your AD or SharePoint MySite, you’ll be fiddling with accounts you can easily delete and recreate!)

The process for adding stuff in AD: 

1.  On an Active Directory domain controller, go into Active Directory Users and Computers (Start | All Programs |Administrative Tools | Active Directory Users and Computers)

2. Double click on a user to pull up the user “properties” where you can enter in attribute information like Office location, telephone#, address, organization information, and the like (note: typically you do NOT want to change the First Name, Last Name, Display Name, Email Address, or User Logon Name information unless you know what you are doing and know that changing those attributes won’t impact other applications or user functions)

3.  Click OK to save any changes for the user

To add a picture to Sharepoint that’ll replicate back to Active Directory, do the following:

1.  Logon to Sharepoint 2010 with the account you want to add a picture

2.  Click on the upper right user information and choose “My Profile”

3.  Click on “Edit my Profile”

4.  Click on “Choose Picture” and upload a picture 

5.  Make any other changes to your Sharepoint MySites page, then scroll all the way to the bottom and click on “Save and Close”

Step 3:  Configure the Profile Synchronization Service in Sharepoint

The Profile Synchronization Service is tied to the User Profile Service in SharePoint, this is a very complicated series of services that you can read up on a whole lot more someday when you have nothing better to do, a good article is up on http://www.harbar.net/articles/sp2010ups.aspx.  All of this profile sync stuff was slapped together from a variety of bits and pieces Microsoft had to make this all work.  The key steps needed here are as follows:

1.  Go to Sharepoint 2010’s “Central Administration” (Start | All Programs | Microsoft Sharepoint 2010 Products | SharePoint 2010 Central Administration)

2.  Select “Configure Managed Accounts” (which is under the Security section)

3.  Click on “Register Managed Account” and add in an account that has the following properties:

    - will ultimately be the Farm Administrator for all of SharePoint

    - has schema access to Active Directory (ie: is a member of the Enterprise Admins group in AD)

    - is a local administrator to the local server (the account is in the server’s “Administrators” group)

For many orgs, this is the main domain administrator account, however if you tighten down your security, you might want to create an account that you can control the access of this account.  For now, this Profile Synchronization Service requires ALL of these security roles and there is talk that Microsoft will provide a better separation of security in SharePoint 2010 SP1.  Because this role has so many security hooks, at a minimum, you’d want to put this Profile Synchronization Service on a server that is NOT Web facing so that you can minimize the potential attack surface of this system from the external.  If security is something you can manage, then frequently the “domain\administrator” account is the one people select for this.

Enter in the full domain\username of the account and the password, then click OK 

4.  Now go back to Central Administration \ Security and choose “Configure Service Accounts”

5.  Select “Farm Account” and select for the “Account for this Component” choose the service account you just created/selected in Step3 (the master administrator account), then click OK

 6.  Go back to the Central Administration and select “Manage Services on server” (which is under the System Settings section)

7.  Scroll down to the “User Profile Synchronization Service” and click on START

8.  The “User Profile Service Application” should be the default, and you should see the master domain / farm service account listed as the default service account (greyed out, you can’t change it here).  Enter in the password for the account and click OK.  This will start the User Profile Synchronization Service

(NOTE:  This can take 10-20 minutes to start, be patient.  It’s starting the ForeFront Identity Manager Synchronization service as well as a ForeFront Identity Manager Service among other things, so this can take a while)