The Group Policy Help file, Gp.chm, contains the following:
User must log on to change password Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy Description: Determines whether users have to log on before they can change their password. By default, this setting is disabled in the Default Domain Group Policy object (GPO) and in the local security policy of workstations and servers. If this policy is enabled, then users have to log on before changing their password. Thus, if a user's password expires, the user will not be able to change the expired password, but must instead have an administrator reset the password.This documented behavior is just like Windows NT 4.0, but the author failed to realize that the option has been removed in Windows 2000.