Perhaps no perfect scheme, but you can do better than provide a "lock someone out of their account if you know their username" button as described above.

What is a better method? I'm not disagreeing with you. I am encouraging you to share better ideas.

A better method is to send a special link to a user who requested to reset their password. After clicking on that link they can change it and log-in. That makes it such that the user is the only one that can trigger the reset.

The worst a third party can do is trigger an email (simply note in the email that if you did not request the email to ignore it and that your account is still safe).

This is a common technique.