The Everyone group has the Change Password user right on all user and computer objects, so that unathenticated or 'anonymous' users or computers can change their passwords when they expire, without having to be authenticated first.

If an 'anonymous' account is denied this ability, the user would have to log on before they could change their password.

To provide security, you must know the existing password before you can change it.

To view/set this right:

1. Administrative Tools / Active Directory Users and Computers.

2. On the View menu, make sure that Advanced Features is checked.

3. Navigate to a user account and right-click to press Properties.

4. On the Security tab, select the Everyone group.

NOTE: By default, Change Password is the only right enabled.