Hi Guillaume,
First of all you need to differentiate the password source. It can be from 1) AD, or 2) password self service. To do that, you may need to have a customized attribute of MX_PERSON, for instance Z_PASSWORD_SOURCE.
Next you need to customize the password reset task of AD repository. In the new task, if the password is from 1) AD, the task needs to skip the password reset operation.
By doing so, I think your requirements can be met.
Best Regards
Jack Xiong