If you remember this option from Windows NT, or you found the User must log on to change password topic in the Group Policy help file (Gp.chm):
Description: Determines whether users have to log on before they can change their password.
By default, this setting is disabled in the Default Domain Group Policy object (GPO)
and in the local security policy of workstations and servers.
If this policy is enabled, then users have to log on before changing their password.
Thus, if a user's password expires, the user will not be able to change the expired password,
but must instead have an administrator reset the password."