Hello Rajesh,
If the users in your environment only use PAM sessions to connect to the Unix endpoints, then you could use the command filtering feature in PAM to prevent them from using the passwd command while connected via PAM. You can find more information about command filtering here.
If users can access the Unix endpoints outside of PAM, then I would suggest using SELinux or CA PAM Server Control policies to restrict access to the passwd command.
Thanks,
Brian Rehder
CA Support Engineer