Once click the forgot link and enter username, Salesforce will send email associated with user name with security question. User must answer a previously defined security question before they can reset their password and log in. If user has not defined a security question, or fails to answer the security question correctly, the password is not reset.
Once user answer the security correctly, user will get an email with a link in the email to reset password, this link will expire after 24 hours and it will active only for once, meaning user click the link then ignore it, and later user click the link again, it has been expired.
There is a maximum of five requests to change a password in a twenty-four hour period, while administrator can reset a password as often as needed.
Depend on your org password policy or profile password policy, if maximum invalid login attempts is not set to No Limit, user account will be locked after few times trial with invalid password, number of trial allowed depend on setting in maximum invalid login attempts before it locked. Resetting locked-out users’ password automatically unlocks their accounts as well.
For some reason, when administrator reset user password, we have user get email with subject: Salesforce.com password reset failure and content as below:
Dear User Name,
Your administrator has reset your password. However, your password cannot be reset at this time.
If you have any questions, please contact the salesforce.com administrator for your company.
Root cause analysis: after hours of testing and finding, above issue happened when admin reset user password, but the user just change his password within 24 hours, or just set his password for the 1st time within 24 hours, and Require a minimum 1 day password lifetime is enabled in Password Policies setting. If this option is selected, passwords can’t be changed more than once in a 24 hour period.