Add a capability for Helpdesk staff to reset password on behalf of the user who forgot password (via both Notes and Web UI). This would also avoid the authentication problem if Notes and Internet password are synchronized via policies, because does not require to authenticate the user against a different set of credentials in another foreign directory (AD/LDAP) - if there is any.
Also would allow reset in case user cannot reach the web UI because he is outside of company and cannot connect to company Intranet because the VPN connection login also requires the same password which he forgot.