How to enable password challenge in Active Directory?
There is nothing built-in to Active Directory to allow self-serve password resets. The only Open Source utility in this vein that I am aware of is pwm.
Of course, as I'm sure you already know, this isn't a technology problem, this is a personnel problem. What you need is management support behind an initiative to encourage employees to take responsibility for their own technology.
At once place I'm aware of, password resets as a result of lockout caused a $5 charge. In cash. In a tip jar. On the Sr. SysAdmin's desk. That kind of management is awesome. That is not the norm, but nevertheless, you can implement whatever technology you want, but after you implement a self serve portal, people will simply ignore the URL for the page and instead call you on your desk phone whining "You used to do this for me before!"