I'll have to dig around to see if LEM users can change their passwords, but might I suggest an alternative?
If you configure the LEM Appliance with a Directory Services Query Tool Connector, you can create users based on your AD structure. That means that people log into the LEM with their AD credentials. They can change their AD password in Windows, and the LEM will pick up that change. The connector looks like this:
Then when you build users, instead of picking LEM User, you'd add Directory Services Users:
To login, you'd need to enter your FQDN\user, since the LEM isn't on the domain.
Maybe that alternative will work for you!