The antidote was developed by the guy who beat me to it -- a batch script which generated eleven random strings, changed the password to each one in turn, then changed the password back to what it had been.
It would have taken a much sharper IT person than any at that company to see that users had changed passwords multiple times in less than one minute.
You wouldn't have been able to pull that off where I work. This is the tools Microsoft gives admins:
It would take 11 days to cycle through 11 passwords.