IIS Log shows MANY 401 logon errors being generated due to password change, but the mobile device still has cached password (needs to update new password on mobile device).
The account isn't locked out; why isn't the account locked if there are account is failing to logon (evidenced by the excessive 401 errors in IIS log). AD GPO should lock out account if >10 failed attempts in 30 minutes.
(edited) BTW - we want those accounts to lock out to encourage users (through force) to take responsibility for maintaining their account credentials.
Thanks!