Do you have any clue (from the access log for example), that this user’s password
has been successfully changed after 20110606211056Z ? Or is there any chance that the password was changed while the policy overlay wasn’t loaded, which could occur if it was changed on a misconfigured replica for example.
