Do you have any clue (from the access log for example), that this user’s password

has been successfully changed after 20110606211056Z ?
 
Or is there any chance that the password was changed while the policy overlay wasn’t loaded,
which could occur if it was changed on a misconfigured replica for example.