There seems to be a subtle difference between a domain account that has the checkbox "force password change" and an account that merely has an expired password (say after 90 days).
Is there a way to simulate / force an account to "expire" other than changing the policy and impacting all accounts? Are there differences based on the functional level of the domain?
You can set the user's pwdlastset attribute to a specific date/time therefore making it expired. You can do that using powershell, wsh, vbs, ... Note however that the format of the field is Integer8
In both cases the password must be changed but the difference is that when a password has expired it can no longer be used for authentication, whereas one that requires changing is still valid. As you say, it's subtle.
For testing I would suggest creating a new policy to apply to just a test account and setting the expiry period to something short enough to be useful for that testing.
The end result is the same, the passwords for the user has to be changed.
You could use a powershell script to change the setting for all users on the domain.
There are no differences based on the functional level. The functional level only tells the domain which version of the domain controllers can be on the domain.