The only way I was able to accomplish this, on a previous implementation, was using a create after resource action. This would execute a script to set the required security parameters involved on AD. I don't have the code or I would share it. Please try the following as relevant resources.
We have a simular requirement: password changes only via IDM.
I'd rather not use after create or after update actions with the Exchange Connector (I heard it's buggy) so I wonder if it is possible to set "User cannot change password" with a policy in Active Directory on some ou's.