You have SharePoint 2016 set up to import user profiles from Microsoft Identity Manager (MIM) 2016.
You have configured User Profile Pictures (PictureURL property) to import from Active Directory Attribute Thumbnailphoto.
You run the Sync and everything is successful including the MOSS_Export sync step.However, after running the Update-SPProfilePhotoStore command, you notice that only some of the users get a profile picture.Full Command:
Update-SPProfilePhotoStore -createthumbnailsForImportedPhotos $true -MySiteHostLocation http://mysiteHost
Go to Central Administration | Manage Service Applications, and select the row for your User Profile service app.
Choose Permissions in the Ribbon. Add the Farm Service Account there with Full Control.
Go to Central Admin | Manage Web Applications, choose the Mysite Web App.
Choose User Policy in the Ribbon. Add the Farm Service Account there with Full Control.
In the MIM client, go to Management Agents, and go to the properties of the SharePoint MA.
On the Connectivity page, change the SharePoint User Credential to the SharePoint Farm Service Account, set the password, and choose OK to save.
In the MIM client, delete the SharePoint connector space.
Go to Management Agents, right-click on the SharePoint MA and choose Delete.
Select “Delete connector space only”, and click ok.
Run an end-to-end Full Sync by running the following PowerShell on the MIM server:
-- This is necessary to trigger all the pictures for export to SharePoint again. If you don’t do this, the pictures will not be exported, even if you do a Full Sync because they have not been changed in Active Directory.
-- There may some errors on MOSS_Export due to deleting the connector space. Those can typically be ignored.
5. Process all GUID_RecordID.jpg pictures into their respective thumbnails by running this PowerShell on a SharePoint server:
Update-SPProfilePhotoStore -createthumbnailsForImportedPhotos $true -MySiteHostLocation http://<yourMySiteHost>
6. Verify we have all the pictures now.
We can compare the number of users in the Metaverse that have values for “photo” with the number of profiles in the Profile DB where “PictureURL” is populated.
If you do a Metaverse Search in the MIM client (miisclient.exe) for Object Type: “person” where the “photo” attribute “Is present”, that should give you a number. Note: you may have to add the “photo” column to the results pane.
Then run this query against the SharePoint Profile database for comparison: select * from upa.userprofile_Full where pictureurl like 'http%'
Note: These two numbers will not necessarily be exactly the same for several reasons, but they should be relatively close.
1. The Export step for the SharePoint MA creates a single picture within the “User Photos” library at the root of the Mysite host site collection. The pictures are created in the format of GUID_RecordID.jpg, where GUID is the partitionID, and RecordID is the value of the users recordID in the upa.userprofile_Full table in the Profile database.
Note: At this point, your users will not show any pictures and the pictureURL column in the UserProfile_Full table in the Profile database will still be blank.
Note: Now the user should show a picture in their profile and the PictureURL column will be populated.In the scenario described above, the failure occurs at step 1. I figured that out by getting verbose ULS logs from the server that the SharePoint MA in MIM was pointed to.
Note: normally, this will be the Central Admin server. The URL on the “Configure Connection Information” page for the SP MA will be pointed at something like this:
http://<CAServer:Portnumber>/_vti_bin/ProfileImportExportService.asmx?ApplicationID=<UPA-Guid>-- It’s best to check the URL that MIM is pointed at for ProfileImportExportService.asmx to make sure you’re getting logs from the right server.-- Turn logging up to verbose and get logs that cover the entire run of the Export step.
-If you’re hitting this problem, you’ll find errors like this:w3wp.exe (0x0AF8) 0x20CC SharePoint Foundation General ai1wu Medium System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), StackTrace: at Microsoft.SharePoint.SPWeb.GetList(String strUrl) at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.LoadPictureLibrary(SPWeb rootWeb, ProfileType profileType) at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.GetOrCreatePictureFolder(String mySiteHostUrl, ProfileType profileType, Boolean createIfNotFound, Boolean forFeedAttachment) at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.SaveImportedPictureToLibrary(UserProfileManager userProfileManager, Int64 recordId, Byte binaryPicture) at Microsoft.Office.Server.UserProfiles.UserProfile.BulkPropertiesUpdate(Int64 importExportId, Hashtable properties, String accountName) at Microsoft.Office.Server.UserProfiles.ProfileImportExportService.<>c__DisplayClass2a.<UpdateWithProfileChangeData>b__28(Int32 idx) at <truncated>w3wp.exe (0x0AF8) 0x20CC SharePoint Portal Server User Profiles agw5g High SavePictureToLibrary: Error processing the photo URL 0c37852b-34d0-418e-91c6-2ac25af4be5b_54.jpg for user 54: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(UnauthorizedAccessException ex)
at Microsoft.SharePoint.Library.SPRequest.GetMetadataForUrl(String bstrUrl, Int32 METADATAFLAGS, Guid& pgListId, Int32& plItemId, Int32& plType, Object& pvarFileOrFolder)
at Microsoft.SharePoint.SPWeb.GetList(String strUrl)
at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.LoadPictureLibrary(SPWeb rootWeb, ProfileType profileType)
at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.GetOrCreatePictureFolder(String mySiteHostUrl, ProfileType profileType, Boolean createIfNotFound, Boolean forFeedAttachment)
at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.SaveImportedPictureToLibrary(UserProfileManager userProfileManager, Int64 recordId, Byte binaryPicture)
User Profile Service Application
Profile picture import export