Hi - the $CFG->restrictusers feature was removed from Moodle because the roles system was supposed to cover this. However it doesn't: there seems to be no way to prevent a user changing their password.
I'm filing this as a bug rather than a feature request because there may well be sites who were using the $CFG->restrictusers feature to provide "demo" accounts (like moodle.org used to do), and who are presumably now unable to do this. A site that I'm working on needs to have a certain class of user unable to edit their password or other details, for example.
I'd guess that there should be a capability for can-edit-own-password, default on.
(Removing of $CFG->restrictusers was a tracker item but I can't seem to find it, sorry.)