I am being asked to provide a list of everyone that has rights to change
passwords, but more specifically, some sort of proof that these users
and only these users can change passwords of others. I know how to look
at a specific user and see what they have rights to but I am uncertain
on how to do it this way. Is there some attribute I can query to see who
has supervisor or admin rights? Even then I think a user still manually
be assigned password change rights, like a help desk tech, without being
in that role. Is there some way to accomplish this?

bobbintb's Profile: https://forums.netiq.com/member.php?userid=5629
View this thread: https://forums.netiq.com/showthread.php?t=53887