Well, someone forwarded me this solution from the Educause mailing list, and I have not tested it. It basically does not lock your user account out if they are using an old valid password, only if they are using an incorrect password. It will still reject them, just not increment the bad password count that leads to a lockout.
"If you're using AD as your authentication source, look at implementing "Password history check (N-2)"
With Password history check (N-2), as long as the password being used is one of the last two in the history file, the bad password count is not incremented... thus, no account lockout when using an old, but valid password. That is, while the user can't authenticate using the old password (it still fails as an incorrect password), account lookout doesn't occur. It works around the problem where a user changes their password on say their desktop, and then their mobile device instantly locks their account as it attempts to auth on WPA."
A technet thread on it is here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/4b9f3fdd-f6e0-4a55-af99-ec065fe1b785/password-history-check-n2?forum=winserverGP