The only way I can think of that is secure enough is by moving all the authentication credentials to an external database, and use the external database authentication plugin. The authentication database could be hosted in the same DB server as Moodle's one, but should be a different database.
This way, you could create a read-only user for Moodle to query the username/password combinations (to manage logins) and read/write access user for the (additional to Moodle) application that would manage password resets. You could add additional columns in the external users table to store the "managing customer organization", and then a second table where you would map "password manager users" to "managing customer organization". When those password manager users log into the additional application, the application would make sure they would only see and manage the user accounts belongin to their managing customer organization.
You could even develop a Moodle plugin (e.g., using a local plugin) to implement all this, if you don't want to develop a complete external application.
Saludos. Iñaki
