User must log on to change password

Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy

Description

Determines whether users have to log on before they can change their password.

By default, this setting is disabled in the Default Domain Group Policy object (GPO) and in the local security policy of workstations and servers.

If this policy is enabled, then users have to log on before changing their password. Thus, if a user's password expires, the user will not be able to change the expired password, but must instead have an administrator reset the password.