You may have figured this out on your own, but it does seem that after an AD password change, the Zimbra servers will continue to use the old password for a while...
However, the way we've found to solve the AD lock-out problem from Smartphones, is as the first step of a password change, have the user put the phone into "Airplane Mode." And while in Airplane mode, the password can be changed, although it will complain about not being able to connect. Then once the password has changed and the user is able to logon to Zimbra using the new password from a computer, the phone is taken out of "Airplane Mode."
That solved the problem of AD lockouts every time there was an AD password change.
Have a good day!
Release 7.2.0_GA_2669.SLES11_64_20120410001957 SLES11_64 NETWORK edition.