The everyone group is set on all new user objects by default with the ability to change user account passwords (given the password is known). This isn’t set through inheritance, but rather from default objectclass=user permissions set through adsiedit/ldp, etc.
According to the Microsoft Knowledge Base article at http://support.microsoft.com/kb/242795, the following is true about Change Password permissions in Active Directory. This means you typically do not need to delegate Change Password permissions in Active Directory to an application’s service account.
“The Everyone group has Change Password permissions on all computer and user objects so that unauthenticated or “anonymous” users or computers are able to change their passwords when they expire without having to be authenticated first. If the anonymous user is denied the ability to change passwords, the user would be unable to change the password without logging on. The Access Control List (ACL) editor can be used to revoke this permission, but use this editor with caution.”