Issue: When users use the LDAP Password only chain for authentication and change their LDAP password, they are still able to log in with their old LDAP password.
Workaround: You must disable the cache logon on Domain Controllers. To disable the cache logon, you must make the following registry changes:
Open the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\.
Create a DWORD parameter OldPasswordAllowedPeriod and set the parameter’s value to 0.