not to change root password

[Ronald Warner]

in /etc/sudoers, we have the following for helpdesk users:

HELPDESK  ALL = /root/data/, /usr/bin/passwd, !/usr/bin/passwd root

it seems that though i have specified that they can't run "sudo 
passwd root", they can still change root password by running 
"sudo passwd".  how do i fix this?  i want helpdesk to be able to 
change other user's passwords but not root's.

thanks.