Some tips for me and other

User photo from Active Directory and corporate lockscreen

1. Выдаем права на запись для пользователя на файл

2. Разрешаем выполнять подписанные скрипты

3. Подписываем скрипт

Для подписи нашего скрипта нам потребуется Code-Signing серитфикат. Я выписывал его из своего центра сертификации, предварительно добавив шаблон Code-Signing и выдав разрешения Enroll для пользователей домена, в самом центре цертификации.

Выписывал, как обычно, через консоль certmgr.msc.

После этого можно запустить PowerShell и подписать скрипт:

            Заносим сертифиат в переменную:
                        $cert = @(dir cert:\CurrentUser\My -codesigning)[0]
            Проверяем, что он есть:


Set-AuthenticodeSignature photo.ps1 $cert

4. Добавляем сертификат подписи в трастед паблишерс

5. Положить скрипт на шару и сам код скрипта:








$file3=$env:ProgramData+”\Microsoft\User Account Pictures\user.bmp”

$photo = ([ADSISEARCHER]“samaccountname=$($username)”).findone().properties.thumbnailphoto

if($photo -eq $null){


} else {

$photo | set-content $file -Encoding byte

$image = [System.Drawing.Image]::FromFile($file)

$image.Save($file.ToString().Replace(“jpg”,”bmp”), [System.Drawing.Imaging.ImageFormat]::Bmp)

Copy-Item -Path $file2 -Destination $file3


6.Прописываем в груп полиси использовать картинку по-дефолту (чтобы не меняли).

 7. По поводу обоев для логон скрина приведу выдержку из ругого блога:

The background images

Windows 7 supports multiple files, a default file called backgroundDefault.jpg and 12 other files with the resolutions appended to the default name (ie. background1920x1200.jpg). The system will determine which file to use (if the file with your screen resolution exists) in %windir%\system32\oobe\info\backgrounds (can be created if it doesn’t exist). If you omit an explicitly sized file for a screen resolution, the default file will be stretched to fit your resolution. One final note, images must be less than 256kb in size. The list of supported resolutions is below:


Once I had the background images for the resolutions that we have in the office, I saved those files to a subfolder in the network location I created previously and launched the Group Policy Management console.

Group Policies

Now that we have our resource files on the network we just need to tell Group Policy what to do.

Create a new Group Policy Object in an OU that contains the computers you want to customize and make the following changes to the policy.

From the Computer Configuration –> Policies –> Administrative Templates: enable Apply the default user logon picture to all users (from Control Panel/User Accounts) and enable Always use custom logon background (from System/Logon).

From Computer Configuration –> Preferences –> Windows Settings –> Files: add a new File item with a target path of %programdata%\Microsoft\User Account Pictures\user.bmp, from General make the source the 128?128 user picture we saved on the network (use its UNC path), you can leave everything else with its default setting but make its Action Replace.

From Computer Configuration –> Preferences –> Windows Settings –> Files: add a new File item with a target path of %systemroot%\System32\oobe\info\backgrounds\ (make note of the trailing \, it is required to indicate the target is a directory, not a file), from General set the source file(s) to be the directory we saved (use its UNC path) but append \* to the filepath, to indicate that you want to copy all the files from this subdirectory to the target. As with the previous item, you can leave everything else with its default values but make its Action Replace.

Leave a Reply