I know I come late to the party, but I have two questions :
Do these 'requirements' specify which commands, exactly, these folks need to execute as 'root' ? If not, WHY not ?
Why would a user on your machine (or server) need to set anyone elses password ? Sometimes it *may* be necessary, but granting access to the 'passwd' program scares me a little.