As a domain administrator on the Domain Controller, go to administrative tools and find the Active Directory Users and Computers snap in. Find the user, right click and select Reset Password.
The user can press ctrl-alt-del and choose the Change Password option.
He should probably avoid doing this work on the Domain Controller. It would make more sense for him to install the AdminPak.msi from Microsoft onto his Windows XP computer and administer the domain from his workstation. AdminPak.msi is available at:: http://www.microsoft.com/downloads/details.aspx?familyid=86B71A4F-4122-44AF-BE79-3F101E533D95&displaylang=en
If you’re running Vista then you should setup a Virtual PC running Windows XP and then install the AdminPak there. I’ve had wierd / quirky results trying to do AD admin work using Vista.