Using SEC=NMSAF, password handling is done via external security, (RACF/ACF2/Top Secret).
Individual users can change their passwords through Netmaster if the change password option is activated in the SXCTL member, see KB000023925.
It is not possible to reset another user's password through Netmaster.
When the SAF call goes out to RACF, it includes the requesting userid but there is no information included regarding the status of that userid as secuirity Admin or not. So to external security it appears that an unauthorized 3rd party is attempting to force a password change, which is not allowed. The return code is the same as what is normally used for revoked passwords, even though that is not the case in this instance, so the text does not reflect the actual result.
The solution is to handle forced password changes/resets directly in the external security product.