I would think you could also set up PCNS so that any time an AD password is changed it would be sent to FIM and password extensions on each target MA for the integrated systems could set that password on the account. Of course that requires that each
integrated system have an MA, an object in each MA joined to the metaverse object representing the user, the password extension exists or can be written for each source, etc.
If you already have the workflow, you're much further along in being able to implement it as Brian suggests. Since the user already exists, the same workflow as initial provisioning may not be appropriate in your case, but the workflow you need could
end up being very similar.
Chris