AD Import matches existing users first by their GUID-s (actually ‘objectGuid’ attribute values) and then by their names. The only prerequisite for it to behave correctly is that the (Kentico) user GUID matches the domain object GUID.
So if the user was initially imported from AD Import, it should be matched. On the other side, if the user was created manually, it won’t be found by AD Import as existing object. This could lead to “recreation” of the user.
I tried to change sAMAccountName attribute and the user was modified successfully. Which attributes have changed in AD? How was the user created (AD Import, manually, windows/mixed-mode authentication)?