You'll have to add them to the local administrators group - normal users don't have the right to talk to drivers.
Hey Simon, hope all is well - I've been following your blog - good stuff!
I can't believe what I'm reading :eek: I cannot add my users to local admins, this is one of the more critical aspects to end user security!
There must be some way to accomplish more granular permissions to this I hope.
what API calls are you trying to do? You might have to simply run your code under a higher privileged account though.
I'm getting good responses to:
but I get the e0020021 error on <Command>ChangePasswordLocal</Command> where I'm not actually trying to change the password, but just verify the account. (IE: I do not provide a NewPassword value)
I am using SbAdminConnection also and getting back a success response to the connection prior to using ChangePasswordLocal.
Simon, can you give me a bit more info on why access, when authenticated with an sbadmin account, would be denied?
A local non-admin user certainly has the ability to change their own passwords, so I'm stumped why this would not work through scripting?
Scripting is an admin privledge that is normally not granted to user accounts.
See "Allow administration" User object property, in "Admin Rights" page.
it's nothing to do with admin rights in EEM - this is a local lack of administration privilege when talking to the driver. For whatever reason, the implementation of that command insisted on admin rights being required, I guess to stop rogue software changing or trapping user passwords without them knowing.
I've finally circled back to this project and am still stuck here.
My users are not local admins. You stated that 'for whatever reason' the changepasswordlocal command requires the user to be a local admin.
If a user can change their endpoint encryption password as a non-local admin through the windows login checkbox - why can't I accomplish this same thing through code? Granted, there should be some checking to ensure the code is running under that local users' security context, and is authenticated to the SB server. Also that the old passwords match.
To add to my point, I'm able to change the local users Windows password with out issue -- UserPrincipal.Current.ChangePassword(oldPassword, newPassword) woks, Windows will pass the change off to ActiveDirectory. If my OS will allow it, it seems to my that endpoint encryption should be able to allow it also.
Thanks for your time,