ForceChangePassword is an extended right that allows one principal to reset another user's password without knowing the current password. This is a reset operation, not a normal password change. A normal password change proves knowledge of the old password; a reset proves that the caller has delegated reset rights.
The abuse is direct: control the delegated principal, reset the target account, authenticate as the target, then continue enumeration or movement with the target's privileges. In BloodHound this appears as:
ATTACKER --ForceChangePassword--> TARGET USER
This edge is common in helpdesk delegation models. It is legitimate when tightly scoped to normal user accounts, but dangerous when it reaches service accounts, privileged accounts, or accounts that unlock remote access.
In the OOTW lab, helpdesk.one has reset rights over dylan.brooks.