Instead of trying to keep passwords in sync between AD and your ABAP systems, you could also user Kerberos based single sign-on. In that case the passwords stored in the ABAP system are no longer relevant as users will use their Windows/AD authentication to access ABAP systems.
You will find more information at
http://scn.sap.com/community/sso
This might be more cost efficient than the workarounds you are looking for.
Best regards,
Christian