There is no difference between the two revisions you have selected.
Firstly, you’ll have to delegate authority to the users to not only change their passwords but to remove themselves from lockout. This means that all users will be able to change each other’s passwords etc. This is your first hurdle. A timeout for lockouts would be the easiest solution to part of this problem.
You’ll then have to write something which contacts the LDAP database. In VBScript you can use a GetObject LDAP query, so you could have an ASP page which would pull the user out. You could then use the SetPassword function to set the password and then set the pwdlastset attribute to 0.
Are you sure this is a big enough issue for you to justify this little headache? It would be easier to modify user behaviour, like telling them there’s a three day wait on password resets or something. Make them fill in some long-winded form so it becomes easier for them to remember their password than get it changed.