“The Password Cannot Be Changed at This Time” Error Message When You Try to Change a User’s Password

http://support.microsoft.com/kb/273004/en-us

To resolve this behavior, configure the Minimum Password Age policy setting to 0 days. To do this, define the policy setting, and then configure it. The policy settings should be configured in the Default Domain Group Policy object for users.

To configure the policy setting, follow these steps:
Open Active Directory Users and Computers management console.
Right-click the name of the domain, and then click Properties.

Note If users are configured to a specific organizational unit, select the organizational unit where the users reside.
Click the Group Policy tab, click Default Domain Policy, and then click Edit. The Group Policy Editor opens.
Expand Computer Configuration, click Windows Settings, click Account Policies, and then click Password Policy.
Right-click Minimum Password Age, and then click Security.
Click to select the Define this policy setting check box, and then set the counter to 0 days.

Note: 0 days is the default policy setting in Default Domain Policy.
After you set the Minimum Password Age setting, the Suggested Value Changes dialog box appears. It indicates that the Maximum Password Age setting will be changed to 30 days.

If you do not change this value, every user who has a password that is 30 days and older receives an error message when they log on that states that their password has expired and that it has to be changed. To set a higher value, click the Maximum Password Age policy that is above the Minimum Password Age policy after the Minimum Password Age setting is applied, and then increase or reduce this setting according to your preferences.

Note You cannot set the Maximum Password Age setting to 0. If you do, this setting will disable the Minimum Password Age policy.
Click OK to close the Security Policy setting.
Close Group Policy Editor and the Active Directory Users and Computers management console.
To update the policy setting, open a command prompt at the domain controller, and then run the following command:
secedit /refreshpolicy machine_policy /enforce
You may have to restart the domain controller for this policy to be updated.