First of all, join the Mac to the domain. We add it as a computer to a Mac OU, so we don't inherit policies from other OUs. Once the Mac has been pre-added to the domain through your management console or UMC, enter the credentials to join the Mac to your domain. That's done through Accounts->Login Options->Join. Click the Open Directory Utility button. Enter password if prompted. Double click Active Directory. Under Advanced settings, we enable "Create Mobile Account at Login" and disable "Require confirmation..." and Use UNC path...." Click OK, click Apply and close the window. You should have a green light next to your domain name on the Accounts window.
Once that is complete, we use two command line utilities to join a user to the domain. Open Terminal and type the following:
cd /System/Library/CoreServices/ManagedClient.app/Contents/Resources
sudo ./createmobileaccount -n username
(enter password)
sudo createhomedir -c -u username
This will reach out to the domain, find the user name, add the mobile account to the system, and create a home directory for the user.
At this point, open Accounts again (might have to close and reopen it) and you should see the new account you've created. It's going to be managed, so if you want to give it administrative rights, you'll have to change that manually by clicking the checkbox. We turn off Parental Controls, because it can block things like adding printers or changing system preferences.
Here's the thing... when a Mac user changes his password at the login prompt, it will also change the keychain password, but NOT the passwords stored in the keychain, nor will it change application passwords, like Outlook or chat clients. Those will have to be changed as part of the whatever password change process you have in place. Gotchas are old services saved in the keychain (delete them and recreate them if needed), 802.1x profiles if you use it... those services can send multiple bad password requests to the AD server and lock out an account.
Hope this helps!