Alright, I need to post this so that I have it written down somewhere, because it was a little bit of a pain in the ass to get just right.
Do you administer a modern Windows domain? Are you tired of seeing the sunflower or the mannequin-like brown man as the account logo that appears whenever you log in to a computer? Sure you can customize it locally on your own workstation, but you still see those annoying defaults any time you connect to a remote server or log in to a new PC on which you haven't configured your profile.
Well here is how I've configured my domain so that all users get a new, customized logon logo. The first thing to consider is you need a new, customized logo. Maybe it's your company logo. It needs to be accessible during logon to all users to which you want the new image to apply.
So first, I'll make a new image:
It's probably best to make it a bitmap (*.bmp) and 128x128 pixels. You might be able to play around a little with those properties, but that's what the sunflower was so I'm playing it safe.
Now since I want everyone to be able to get at this image during logon, I'm going to put it on a network share. In this case, the network share is a DFS share and namespace that is on both of my domain controllers for high-availability. Very much like SYSVOL.
That's a lot of information in one screenshot there, but it's just me putting my 128x128 bitmap of my new logon image on a network share; somewhere where everybody in your domain can access it.
Next, it's time for some group policy work. Log in to one of your domain controllers. Fire up Group Policy Management Editor. Now I went ahead and put this in my Default Domain Policy. But maybe you want to be a little more scrupulous. You could create an entirely new GPO for this, apply it only to certain users, etc. But for my little test domain, the Default Domain GPO will be just fine.
The setting you want to edit is User Configuration -> Preferences -> Windows Settings -> Files. You want to add a new file and make it look like just what I have here:
It's very important that you choose "Replace," as the other options like Create and Update will tempt you, but will ultimately only end in frustration as you wonder why the $@&# it isn't working. What we're doing here is assigning every user that is affected by this GPO (which is basically everyone in the domain since it is the default domain GPO,) that they grab the source file from the network share, and replace their local %PROGRAMDATA%\Microsoft\User Account Pictures\user.bmp with it. That is the local default logon picture for Vista and 2k8/R2 versions. Shame on you if you're running older OSes anyway.
One last piece is that you could edit that GPO to disallow users from changing the logon picture to something else. That setting is at Computer Configuration -> Policies -> Administrative Templates -> Control Panel -> User Accounts -> Apply the default user logon picture to all users. If you set that to Enabled, regular users will not be able to change the default user account picture that you have now set for them.
It's also worth noting that yes, you can store images in user account objects within the Active Directory database itself. Each user account object has a thumbnailPhoto, thumbnailLogo, and jpegPhoto attribute in the AD database. You can store images here, and they will be replicated along with all the other database data, and as you would imagine, such activity would quickly bloat your database and complicate AD replication. Also, these attributes are only used by certain applications such as Outlook 2010, Sharepoint, etc. This will not affect the "user tile" or Windows logon image as we have done here.
(repadmin /syncall on your domain controller to replicate new changes to other DCs. gpupdate on your workstation to pull the new changes down from the DC.)
Check out that new sexy default logon picture! It will now show up by default wherever I login in the domain.