Also, relating to the OP, are the passwords being changed ON the Mac, or from the back end, like in AD? If its the latter, that's likely the reason the password doesn't get synced. If a users password gets changed in AD, it often breaks the password sync process on the Mac. Best practice is either to use a company password change process that syncs the change to all domain controllers, or have users change their password on their Mac. As long as the Mac's connection to AD is healthy it should feed the change back up, or if its changed through a password reset site, it should feed the same change back down to the Mac if its connected to the network.
In cases where the login.keychain password does not get synced correctly with the change in AD, the only possible way to fix this is to know the old password so it can be unlocked FIRST, and then the login.keychain password can get reset to the new one. If the user has forgotten their old password, there is literally no way to unlock it and get back in short of using some crazy brute force password hacking system. The login.keychain password can't be easily decrypted, so your best bet is to delete it and have it recreated at next login. Yes, all previous keychain entries are lost, but there's really nothing else you can do.
