Perhaps no perfect scheme, but you can do better than provide a "lock someone out of their account if you know their username" button as described above.
A better method is to send a special link to a user who requested to reset their password. After clicking on that link they can change it and log-in. That makes it such that the user is the only one that can trigger the reset.
The worst a third party can do is trigger an email (simply note in the email that if you did not request the email to ignore it and that your account is still safe).
There is no perfect scheme, because there are no perfect memories...