Users with password problems will sooner or later call the help desk for assistance. This is even true after synchronization is deployed, reducing the frequency of password problems, and self-service is deployed, allowing users to solve their own problems.
Help desk analysts answer these calls, and (at least in theory) authenticate the caller and reset one or more passwords.
To reset passwords, the help desk analysts must have some administrative privileges on the system in question. If they don't, then the call will be escalated to a system administrator, which can be slow for the end user and costly for the IT organization.
On many systems, the administrative privileges required to reset passwords are inextricably linked to other administrative privileges -- for example, to create users, or start/stop services, or access any data on the system -- which the help desk analysts do not actually require to do their job.
The security problems that arise when help desk analysts have too many privileges include the possibility of one of them intentionally or accidentially compromising security, plus the possibility that the account of a help desk analyst will be compromised by an intruder. These problems are exacerbated by the large number of help desk analysts in an enterprise-scale organization -- there are more possibly malicious help desk "insiders" and more target accounts for intruders -- and the high turnover rate of the help desk analysts. In a typical organization, help desk staff turnover is around 50% per year.
The principle of least privilege indicates that, where possible, the help desk analysts should not be given these extraneous privileges. Since many systems do not have a means to give out password reset privileges without also giving out other, unrelated rights, an external application can be deployed, to act as an intermediary between the help desk analyst issuing the password reset, and the target system on which it is implemented. With such an intermediary application (Hitachi ID Password Manager), only the application needs to have administrative rights to the target system, and analysts only sign into the application -- not directly into the target system.