If you disable an AD user, his email still works on the exchange server. To notify the sender we usually create a mail flow rule in ECP like this
I found no settings in Exchange to disallow disabled AD users to receive emails. On the other hand rooms and shared mailboxes (and some other kind of users) are also disabled AD users but that is intended to be so. It happened that I mistakenly deleted some of those in the past 😉
A solution would be to create a distribution group, populate with disabled AD users and create a rule to reject those email.
I wanted to use a group where I already had all disabled users but I couldn’t see all the members in it as exchange ignores the users primary group. Here is good explanation which confirmed my suspicions.
I created a group named “DisabledUsers” and this script which runs daily to populate its members
Here is the script.
Get-ADUser -Filter {(Enabled -eq $False) -and
(msExchRecipientDisplayType -ne '0') -and
(msExchRecipientDisplayType -ne '1') -and
(msExchRecipientDisplayType -ne '6') -and
(msExchRecipientDisplayType -ne '7') -and
(msExchRecipientDisplayType -ne '10') -and
(msExchRecipientDisplayType -ne '8')
} | ForEach-Object{Add-adgroupmember -identity 'DisabledUser' -members $_.SamAccountName}The values for msExchRecipientDisplayType can be found here
While testing I added the value 10 which is some kind of system user and not on the list but I didn’t dig deeper. With those filters I get all the users I need and add them to the group.
Here is the new rule
A good thing to do is also to disable NDR diagnostics info as it can reveal a bit too much info about your setup which is a potential security risk.
Get-RemoteDomain|fl name,NDREnabled,NDRDiagnosticInfoEnabled
Set-RemoteDomain Default -NDRDiagnosticInfoEnabled $false
shubell's blog 