This kind of thing is a fairly common requirement for folks who attend the ICELib class. Usually, they want a stand-alone "password re-setter" for a helpdesk that generates a new random password, changes it and then e-mails the new password to the user.
I would probably do something like that, possibly on a web service somewhere, and then set up your client button to run the re-setter app or call the service. The user ID for the currently logged in user (as authenticated by Windoze) should be available for use as a command-line argument when the button is used.
HTH
I do have a question, though. If they are using Windoze authentication and already logged in to the client, why do they need their IC password? Just curious, not trying to be an ass. (It always helps to get the full use cases, not just for giving answers, but also to use as examples in class....)