This came up in conversation the other day with one of our clients, and in thinking through things, I started to visualize what in my opinion would make a huge improvement in ActiveSync, unfortunately it would have to be a change that would be made at the protocol level which obviously would mean that it would not necessarily be something that could be made easily backwards compatible.
1.) The problem... When working with third party implementations of ActiveSync (IOS, Andriod, etc), and even older windows mobile devices, they don't necessarily implement logic to handle when a user changes their password.
For example we have a policy that requires users change their password every 90 days. If the user doesn't remember to go in and update the password in their activesync on their mobile phone, then their account actually ends up getting locked out because the phone continues trying to authenticate using the old credentials and trys enough times to lock the account out.
Another example of where this causes issues. I have an employee who has their email on their phone via ActiveSync, and they quit or get fired...Knee jerk reaction from one of my administrators was to either a.) disable their AD account, or b.) change their password. The problem here, suddenly I've removed my ability to issue a remote device wipe to their mobile phone because the password in their phone no longer matches their AD password, so the phone cannot authenticate.
So in thinking this through here is what in my mind at least is a potential solution. This is based off of the fact that currently if you look at the mobile devices for a user, Exchange is already keeping track of each mobile device a user had including a unique identifier for that device. So basically take that one step further. When setting up activesync on a new device, the user would have to set it up exactly the same way that they do now. They would enter their domain credentials. The phone would then make it's initial connection to exchange, and at that point the mobile device and the Exchange server would negotiate a "device specific" password that would *only* work from that unique mobile device. Then *this* is what is actually saved in the mobile device at it's credential to authenticate to Exchange rather than the user's Active Directory password.
Thus when a user's active directory password changes, it doesn't affect the mobile partnership *at all*. The mobile device simply continues using the previously agreed upon token. This would also allow an additional layer of security in the fact that the user's active directory credentials would *never* actually be stored on the mobile device at all in any format.
I'm certain there are probably all kinds of good reasons why this just won't work, or cannot be implemented, but I just wanted to throw this out there for thought and see what others think.