How do I download the avatar image from an Active Directory server?

I'm using the ldapsearch.exe binary that was installed along with an Oracle client. It took awhile to tease out the arguments that it wanted, but I'm able to successfully connect to AD and parse out text attributes (given a username, look up an email, etc). But I'd also like to grab the avatar images that Exchange/Lync use. According to some Microsoft documentation I dug up, the attribute name is thumbnailPhoto. I couldn't figure it out at first, but this command doesn't produce angry error messages:

ldapsearch -v -h xxx.yyy.edu -Z -b cn=USERNAME,ou=Computers,ou=yyy,dc=yyy,dc=edu cn=USERNAME thumbnailPhoto

When I run that, I get the following output:

ldap_open( xxx.yyy.edu, 389 )
filter pattern: cn=USERNAME
returning: thumbnailPhoto
filter is (cn=USERNAME)
CN=USERNAME,OU=Computers,OU=yyy,DC=yyy,DC=edu
1 matches

There is no file in the current directory, there is no file in %TEMP%. If I use -t with or without arguments, no files are downloaded. No binary garbage fills the console window. I get identical behavior whether or not I run the command from bash (msys) or cmd.exe.

What gives? It looks like I'm doing everything right. But I'm running out of ways to debug. Am I not even using the right tools?

If you may use powershell instead of ldapsearch, then try this:

$user = Get-ADUser John -Properties thumbnailPhoto
$user.thumbnailPhoto | Set-Content c:\temp\1.jpg -Encoding byte