Friday, December 4, 2015

Prevent Users from Changing Photo in OWA

Using Outlook Web App (OWA, or Outlook on the Web as it is now known), users can change/update their photo using two methods:
1.    By clicking on the Display Name (Exchange 2013) or user photo (Exchange 2016) in the main OWA window and then Change:
 
2.    Using the options menu and then account followed by Edit information... in Exchange 2013, or “My account” section:
 

 

 
Some companies do not like the idea of users updating their pictures themselves. There are already many posts out there on how to prevent users from changing their photo in OWA. However, some posts only say to change the SetPhotoEnabled parameter to False for all OWA virtual directories:
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -SetPhotoEnabled $False
 
If we now click on our display name or photo, the Change button is now gone:

 

The problem is that this method might only prevents users from clicking their photo to change their photo! It is possible that users can still change it through the options menu:


The reason why this might happen is because this setting only applies to mailboxes if they do not have an OWA Mailbox Policy applied to them! If they do, then we also need to update this policy, whether it is the Default policy or not. In this case I am updating all policies and applying the default one just to my account for testing:
Get-OWAMailboxPolicy | Set-OWAMailboxPolicy -SetPhotoEnabled $False
Set-CASMailbox nuno -OWAMailboxPolicy Default

Now the change button is finally gone:


10 comments:

  1. How do I apply this to all mailboxes? Set-CASMailbox nuno -OWAMailboxPolicy Default just does them one at a time!

    ReplyDelete
    Replies
    1. Hi Rick,

      Simply run: Get-Mailbox -ResultSize Unlimited | Set-CASMailbox -OWAMailboxPolicy Default

      Regards,
      Nuno

      Delete
  2. Hi. When I run the "Get-OWAMailboxPolicy | Set-OWAMailboxPolicy -SetPhotoEnabled $False" cmd I get the error returned "Get-OWAVirtualDirectory : The term 'Get-OWAVirtualDirectory' is not recognized as the name of a cmdlet, function etc... What am I missing?
    Thanks

    ReplyDelete
    Replies
    1. Hi,

      You get an error about Get-OWAVirtualDirectory when you run Get-OWAMailboxPolicy?! Can you please post the exact cmdlet and output?

      Regards, Nuno

      Delete
  3. Apologies. I meant when I run Get-OWAVirtualDirectory I get the error. If I run Get-OWAMailboxPolicy then it runs ok. So all sorted thanks!

    ReplyDelete
  4. Hi. Thank you for this article. Does it work exchange 2016?

    ReplyDelete
  5. Hej Nuno. Thank you for your blog.
    What I would like to get is that I would like to prevent users to change the picture, but in the same time I have one service account over a script, which fills those from HR database.
    How can I prevent change to all except for this service account, which will need to be able to change the picture for everyone?

    Thank you in advance

    ReplyDelete
    Replies
    1. Hi Herbert,

      That is perfectly doable! You can use this method to prevent your users from changing their photo, and then assign your service account permissions to run the Set-UserPhoto cmdlet. If you want to be restrictive, you can check this page (https://technet.microsoft.com/en-us/library/dd638132(v=exchg.160).aspx#Anchor_4) to see exactly what permissions the service account needs.
      Hope this helps!

      Regards,
      Nuno

      Delete