My guess is you have a Configuration Profiles with the “Security and Privacy: General” payload.
That payload has a “Password Change” key. This can prevent users from changing their login password.

That is sometimes deployed along with Kerberos SSO to force users to change their password via the Kerberos Extension.

Fixed.

In my testing this problem affects macOS 11 (Big Sur) and 12 (Monterey) clients but does not affect 10.14 (Mojave) clients.

So after a painstaking process (ie. using a specific client and excluding specific Configuration Policies on-by-one then restarting) I was able to narrow the problem down to a specific Configuration Profile.

I was then able to narrow it down to a specific payload within the Config Profile.

I found that  'Finder' payload also pushes out 'Login Window Preferences' settings. These settings can be seen in System Preference > Profiles > MyProfileName as soon as the Finder payload is created and saved.

On deleting the Finder payload from the relevant Config Profile & saving the changes the Login Window Settings are immediately removed from the Profile on the client. After a restart the 'Change Password...' boxes are no longer greyed out and users can change their passwords.

I have not drilled down further to see if a specific setting in the Finder payload causes this problem. For now I have just deactivated the Finder payload and my users can change passwords once again.

TLDR: A quick fix is to remove any Finder payloads within Configuration Profiles you may be using.