I take the approach proposed by Colleen: client copy using SAP_USER taken prior to refresh and then applied back in. Everything is preserved (users, roles, allocations, passwords).
You could disconnect the target system prior to the refresh and then reconnect post-refresh & using a script to initiate a minor change in the UMR, target system would be refreshed. Unfortunately idocs would also be sent out for other systems. The client copy option is relatively low impact & becomes part of the Basis Team workflow & not yours.