When Identity Manager is enabled with AD authentication for login, we observe that during the first 5 mins, both the old and new password works

Symantec Identity Manager version ANY

The issue is due to the OldPasswordAllowedPeriod parameter value on
Active Directory User Store registry (1).

- Configure the OldPasswordAllowedPeriod parameter to solve this issue.

To set the OldPasswordAllowedPeriod registry value in Windows Server, which controls how long a user can continue to use their old password after it has been changed

Note: Modifying the registry incorrectly can cause serious system problems. It is recommended to back up the registry before proceeding.

Steps to Configure OldPasswordAllowedPeriod

>Open Registry Editor: Click Start, click Run, type regedit, and then click OK.

>Navigate to the Key: Locate and click the following registry subkey:

>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

>Create/Modify the DWORD:

>If OldPasswordAllowedPeriod does not exist, right-click Lsa, select New, and then click DWORD (32-bit) Value.

>Type OldPasswordAllowedPeriod as the name, and press ENTER.

>Set the Time Value:

>Right-click OldPasswordAllowedPeriod, then select Modify.

>Select Decimal.

Enter the desired value in the Value data box. This value represents the lifetime of the old password in minutes.

>To disable the old password immediately, set the value to 0.

Exit and Apply:

Close the Registry Editor. 

A reboot is usually not required for this change to take effect. 

Reference Link:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/new-setting-modifies-ntlm-network-authentication