This iApp will query Active Directory for any locked-out or disabled accounts as well as accounts that have changed their passwords in the last n-minutes. It will then delete any APM sessions these users may have. This was created for a large Hospital in the Texas Medial Center that needed to terminate external access when MS FIM disabled/locked-out an account. They also wanted to cover the use case of a device is lost/stolen so the user's password is changed to prevent unauthorized access.
Things to note
The LDAP query only looks for accounts that have a http://support.microsoft.com/kb/305144 userAccountControl value of 514. If you're using other types (such as password never expires) you'll need to update this value.