John Rennie and Sam Cogan's answers (as John so aptly states) are "hacks" insofar as they attempt to disable the user-interface to change passwords but don't actually take away the ability for the user to change their password.
I think you're looking for a change to the permissions Active Directory sets by default on the OU where the user accounts are located. I'm going to caution you against that. Since Microsoft already provides this functionality through an attribute on the user account objects it's really better to use that already-provided attribute than to change the AD permissions. It's likely that you could find a permission that works, and it's also just as likely that the OS isn't going to display helpful messages.
You really should just all the affected users using Active Directory Users and Computers and modifying the properties of the user accounts en masse. Dart's answer is functionally the same as selecting all the user accounts and setting their "User cannot change password" graphically. If you like the command-line better, do that.
There is functionality to do this with an "Extended Right" using Active Directory permissions in Windows 2003. I'm not finding good documentation on the feature. Here's some background on the "extended rights" associated with changing passwords, the first relating to Active Directory "Application Mode" (or whatever Microsoft is calling it this week):
I attempted to verify Massimo's answer by placing a "SELF - Deny - User Objects - Extended Right: Change Password" permission on an OU in my test W2K3 Active Directory (Windows 2003 Domain Functional Level) and found that the user objects at or below that OU were still able to change their passwords using the GUI password change functionality. Looking at each user object, I could see the inherited "Deny" permission, but Active Directory appeared to ignore it.
Just removing the "SELF - Allow - Change Password" permission on a user object gave the me same functionality as the above test. The user was still permitted to change their password.
I'd say, on that basis, that Massimo's answer doesn't do what you want either.
I found this article from Microsoft and tested it out. When I target the script at an individual user object it behaves as desired and the user is unable to change their password. This isn't much help to you, though, since you want to set this on a per-OU basis.
When I target that script from Microsoft at an OU, however, the behaviour on longer is as expected. (Further, if I modify the ACEs added to the OU to apply to "This object and child objects" instead of "This object only" as is granted by the script the behaviour still is not as expected.)
I'm really beating my head into a wall on this one. This looks like a quirk of Active Directory behaviour that isn't well documented. I've been through the "Active Directory Domain Services" and Active Directory schema documentation and I'm not finding documentation to describe this behaviour.
Best Answer
Use a combination of
dsqueryanddsmodeg
This would change password of all users in Sales in New York to "ChangeThisNow!" and force them to change it on login.
Here's a reference on
dsmod