When running a Policy Server, even if a given user has changed its
password, it can still use the old password to login into the
application as well as the new password for 5 minutes after the
password change. So for 5 minutes, the user has 2 valid passwords.
This happens with the self change password in which the user receives
a temporary password.
The issue is due to the OldPasswordAllowedPeriod parameter value on
Active Directory User Store registry (1).
- Configure OldPasswordAllowedPeriod to solve this issue;
(1)
New setting modifies NTLM network authentication behavior
Domain users can use their old password to access the network for
one hour after the password is changed.
The lifetime period of the old password can be configured by editing
the registry on a domain controller. No restart is required for this
registry change to take effect.
https://docs.microsoft.com/en-US/troubleshoot/windows-server/windows-security/new-setting-modifies-ntlm-network-authentication