While testing Windows AD account passwords, an account password is reset via TPAM (using the reset password button in the account details) to make sure TPAM has the current password. Running a Check password gives back a successful check notification.
The AD administrator then resets the accounts password from via native AD tools. The password in AD is now different to the one known by TPAM and expect the Password mismatch message.
However if a check password is run from the account details, the user will still recieve a successful check for at least 15-20 minutes. After that it will state the passwords don't match.
Is this expected behaviour to see the passwords still match for a significant amount of time?
Microsoft Windows Server 2003 Service Pack 1 (SP1) modifies NTLM network authentication behavior. After you install Windows Server 2003 SP1, domain users can use their old password to access the network for one hour after the password is changed. Existing components that are designed to use Kerberos for authentication are not affected by this change.
More information can be found in the below link: