Re: Storing Photos in Active Directory - jpegPhoto attribute - User class

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 07/24/04 

Date: Sat, 24 Jul 2004 17:59:44 -0500

Sorry, I misled you a little bit. The attribute I was thinking of is the
thumbnailPhoto attribute which is a Win2K attribute with the same syntax and
size limitations. It is in the Personal-Information control access right,
so users do generally have rights to write to it. jpegPhoto is new for 2K3
and is not in the Personal-Information CAR. I'm still not that used to 2K3
schema.

So, the warning still applies to thumbnailPhoto in terms of security/DoS,
but not to jpegPhoto.

Joe K.

"Net Coder" <netcoder77-msnews@yahoo.com> wrote in message
news:OxlSNwacEHA.2352@TK2MSFTNGP09.phx.gbl...
> Joe Kaplan (MVP - ADSI) wrote:
> > On the activedir.org mailing list, there was a discussion about this a
few
> > months ago. Depending on the size of the objects, this may or may not
be a
> > problem with replication. That tends to be very sensitive to your
actual
> > deployment and how often they change (probably not very often I assume).
> > You might want to add them to the directory slowly if you are worried
and
> > try to keep the sizes down.
> > However, one thing to consider is that by default, users have rights to
> > modify this property directly with their own account AND the attribute
has
> > no max size. As such, it could be used maliciously by some users as a
DoS
> > attack on your DC if they decided to upload their swap file or something
> > similarly large. You might want to think carefully about allowing users
> > rights to modify this attribute directly.
>
> Hmm. The object does not have maximum or minimum size set but the ACL
> on a W2K3 AD server in native mode doesn't seem to allow SELF write to
> the jpegPhoto attribute/property, or am I missing something?

Relevant Pages

  • Re: Storing Photos in Active Directory - jpegPhoto attribute - User class
    ... so users do generally have rights to write to it. ... So, the warning still applies to thumbnailPhoto in terms of security/DoS, ... but not to jpegPhoto. ... >> rights to modify this attribute directly. ...
    (microsoft.public.dotnet.framework)
  • Re: Photo images in ADAM
    ... thumbnailPhoto is not multi-valued ... jpegPhoto is multi-valued ... photo is supposedly intended for a specific ASN.1 encoding for X400 ... > Joe, another question, if you don't mind ... ...
    (microsoft.public.windows.server.active_directory)
  • Re: Photo images in ADAM
    ... Joe, another question, if you don't mind ... ... I understand why there's a photo, and a thumbnailphoto, but why also a jpegphoto? ...
    (microsoft.public.windows.server.active_directory)