Scripting is an admin privledge that is normally not granted to user accounts.
See "Allow administration" User object property, in "Admin Rights" page.
it's nothing to do with admin rights in EEM - this is a local lack of administration privilege when talking to the driver. For whatever reason, the implementation of that command insisted on admin rights being required, I guess to stop rogue software changing or trapping user passwords without them knowing.
I've finally circled back to this project and am still stuck here.
My users are not local admins. You stated that 'for whatever reason' the changepasswordlocal command requires the user to be a local admin.
If a user can change their endpoint encryption password as a non-local admin through the windows login checkbox - why can't I accomplish this same thing through code? Granted, there should be some checking to ensure the code is running under that local users' security context, and is authenticated to the SB server. Also that the old passwords match.
To add to my point, I'm able to change the local users Windows password with out issue -- UserPrincipal.Current.ChangePassword(oldPassword, newPassword) woks, Windows will pass the change off to ActiveDirectory. If my OS will allow it, it seems to my that endpoint encryption should be able to allow it also.
Thanks for your time,