Do you have any clue (from the access log for example), that this userís password

has been successfully changed after 20110606211056Z ?
Or is there any chance that the password was changed while the policy overlay wasnít loaded,
which could occur if it was changed on a misconfigured replica for example.