Prevent Users from changing Pictures in Exchange 2013

Yes, in Exchange 2013, users were given the ability to edit their user pictures that is stored in the LDAP for display on their profile across Microsoft’s suite of products.

Seems like a harmless function right? Microsoft is so desperate to be viewed as a ‘cool social media like product’ that users will take advantage of the customizable settings. Well, if left unchecked, the user photos quickly become a mixture of Kittens, logos, TV characters, and borderline raunchy images. No good, especially since users have NO IDEA that these images might be viewed by outside entities. Highly unprofessional!!!

So the Goal here is to allow the use of Photos that the Admin or a security person can upload into LDAP, let users view the photos, but keep users from changing the photo.

The only way I’ve found to do this is by using a mailbox policy.

Open up a powershell session on exhcange 2013 and run the following.
1st we set list the mailbox policies and set the option to enable photos to False.
2nd we apply the policy to all mailboxes.

Get-OWAMailboxPolicy | set-owamailboxpolicy -setphotoenabled:$false
Get-CASMailbox -ResultSize Unlimited | Set-CASMailbox -OWAMailboxPolicy Default

To test, sign into OWA as a user and check the 2 spots where users can change photos and ensure the options to edit photos are gone.
1) Under the Photo in the main display.
2) User User’s profile options in the ‘My account’ page.

NOTE: Be aware, that the last time I updated a Cumulative Upgrade, these settings reverted back to the default behavior and I had to re-apply the mailbox policy.

Tagged , . Bookmark the permalink.

4 Responses to Prevent Users from changing Pictures in Exchange 2013

  1. rino says:

    hi, problem is, for each new user you need to apply this script:

    Set-CASMailbox user -OWAMailboxPolicy Default

    • Adam says:

      I know I’m late to the party but…

      Set-Owamailboxpolicy Default -IsDefault

      Will set it to be the default policy so it will apply to new accounts automatically.

  2. Philippe Dufour says:

    Set-OwaVirtualDirectory -id “owa (Default Web Site)” -SetPhotoEnabled $False

    • mike says:

      This option will remove the photo completely. Good option, but one of the goals of the article was to allow the ldap image to be set by an admin and have it displayed. This option removes it outright.

Leave a Reply

Your email address will not be published. Required fields are marked *

No bots allowed * Time limit is exhausted. Please reload the CAPTCHA.