The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Active Directory!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
thumbnailPhoto is too big RRS feed

  • Question

  • Hello,

    I'm using Azure AD Sync to keep my on-premises AD in sync with Azure. I keep getting the following error:

    Unable to update this object in Azure Active Directory, because the attribute
    [extension_ebad079fee3145b286669fc781788c1b_thumbnailPhoto], in the local Directory
    exceeds the maximum allowed length. If you want to update, reduce the length in the
    local directory services, and then try again

    I tried to clear the attribute locally via ADSI (I assume is thumbnailPhoto attribute in the user's AD profile), and also to replace with another image, but I keep getting the same error. Do you have any idea, please?

    Thanks,
    Luca

    Wednesday, August 31, 2016 1:40 PM

Answers

  • I'd like to share with you the only solution I found to this problem, after discussing it with Microsoft Tech Support: deleting and re-creating the user.
    Please remember that you need to take care of his mailbox and, after you change the UPN of the newly-created user to the same he used to have, you need to update the UPN in Azure Online too (https://support.microsoft.com/en-us/kb/2669550).
    Last thing, consider that the user will lose his desktop on his PC because, even if the UPN is the same, the SSID is different, so Windows consider two different users.
    • Marked as answer by autopole Monday, September 26, 2016 2:01 PM
    Monday, September 26, 2016 2:01 PM
  • Open Synchronization Service manager tool as an administrator:
    Click on Connectors Tab
    Right click on the "Active Directory Domain Services" connector type and click Delete.
    In the 'Delete Connector' box, check 'Delete connector space Only' and click Ok > Yes > OK
    Right click on 'Windows Azure Active Directory' connector and click Delete.
    In the 'Delete Connector' box, check 'Delete connector space Only' and click Ok > Yes > OK
    On the open PowerShell window, run the below commands:
     
    Start-AdSyncSyncCycle -PolicyType Initial
    Tuesday, September 17, 2019 5:33 AM

All replies

  • Hi,

    You could try ConsoleApp-GraphAPI-DotNet, this console app demonstrates common Read and Write calls to the Graph API, and shows how to execute user license assignment and update a user's thumbnail photo and links.
    You could refer the following link for details:

    https://github.com/AzureADSamples/ConsoleApp-GraphAPI-DotNet

    You can use the AD module for PowerShell for getting / setting the AAD user. Ref: Add or Update a User Profile Picture (Thumbnail) in Active Directory using PowerShell with One Line of Code

    Regards,
    Neelesh

    Wednesday, August 31, 2016 3:56 PM
    Moderator
  • Hi Neelesh,

    thanks for the reply. I tried what written in the article you mention, but it's still not working - I tried that before, but I tried again now.

    Thanks,
    Luca

    Thursday, September 1, 2016 3:13 PM
  • Hello.

    I come back to this topic since I'm receiving a lot of notifications each day. Let's say it's not a thumbnailPhoto, but rather a general attribute: how can I clear it, please? I tried via ADSI and powershell, both in a DC and in an Exchange server, but I cannot find any attribute called extension_ebad079fee3145b286669fc781788c1b_thumbnailPhoto.
    Any idea where I can find and edit that misterious attribute, please? If I check Azure AD Connect sync console, I see that such attribute has a "add" change from null to another valure. I can also say that the user has indeed a ghost thumbnail, which resides behind the one stored in thumbnailPhoto AD attribute.

    Thank you,
    Luca

    Thursday, September 15, 2016 3:41 PM
  • I'd like to share with you the only solution I found to this problem, after discussing it with Microsoft Tech Support: deleting and re-creating the user.
    Please remember that you need to take care of his mailbox and, after you change the UPN of the newly-created user to the same he used to have, you need to update the UPN in Azure Online too (https://support.microsoft.com/en-us/kb/2669550).
    Last thing, consider that the user will lose his desktop on his PC because, even if the UPN is the same, the SSID is different, so Windows consider two different users.
    • Marked as answer by autopole Monday, September 26, 2016 2:01 PM
    Monday, September 26, 2016 2:01 PM
  • No *$*#&# way I am deleting any users.

    I opened a support ticket with MSFT and they better fix this. :)

    Wednesday, May 17, 2017 11:55 AM
  • Was MSFT able to help you with this? I'm in the same boat.

    Greg

    Wednesday, September 19, 2018 1:48 PM
  • If you use the synchronization service nanager on your AD connect server you can see all the records being processed by AD Sync.

    Double click on the completed with errors operations and you can drill in to see what the issue was.For me it was the size of the Photo in AD so i simply removed the Photo then uploaded a Photo of asmaller size, re-ran AD sync and the error dissapeared.

    Deleteing and re-creating the user is OK in a test environment or if it is a new user. If the user has been around for a while this will end up causing you more issues in the long run.

    Friday, March 1, 2019 4:20 PM
  • Oldie but I finally got a resolution for this.

    Open Synchronization Service manager tool as an administrator:
    Click on Connectors Tab
    Right click on the "Active Directory Domain Services" connector type and click Delete.
    In the 'Delete Connector' box, check 'Delete connector space Only' and click Ok > Yes > OK
    Right click on 'Windows Azure Active Directory' connector and click Delete.
    In the 'Delete Connector' box, check 'Delete connector space Only' and click Ok > Yes > OK
    On the open PowerShell window, run the below commands:
     
    Start-AdSyncSyncCycle -PolicyType Initial

    Tuesday, September 17, 2019 5:32 AM
  • Open Synchronization Service manager tool as an administrator:
    Click on Connectors Tab
    Right click on the "Active Directory Domain Services" connector type and click Delete.
    In the 'Delete Connector' box, check 'Delete connector space Only' and click Ok > Yes > OK
    Right click on 'Windows Azure Active Directory' connector and click Delete.
    In the 'Delete Connector' box, check 'Delete connector space Only' and click Ok > Yes > OK
    On the open PowerShell window, run the below commands:
     
    Start-AdSyncSyncCycle -PolicyType Initial
    Tuesday, September 17, 2019 5:33 AM
  • Thanks Darren! I'm mainly online now, so I don't have this issue anymore, but thanks for updating the case with the solution.

    Bye,

    Luca

    Tuesday, September 17, 2019 2:25 PM