An old password or permissions still work after you change it in Active Directory for 15 minutes.

Overview

You may notice a 15-minute period during which the user can log on to the Mobile, Mapped Drive, or Web clients by using either the old password or the new password, or access file permissions that have just been removed.

This latency exists by design for Internet Information Services (IIS) for performance reasons. If it's urgent to block a user immediately, the system administrator can clear the cache on the MyWorkDrive server by issuing an "IISreset" command from the server console command line.

This is standard for all Microsoft Windows IIS servers, such as Outlook Web Access. Additional details: https://mskb.pkisolutions.com/kb/152526

You can change the default interval for the token cache:

On each MyWorkDrive server, run the registry editor (regedit.exe). Locate the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters. Within this key, add DWORD value UserTokenTTL with a decimal value of 300 (IIS refreshes the token cache every 300 seconds = 5 minutes).