I am looking for any constructive input on a subject that is giving me grief.

First a little history (i am sure many are aware of this):

Prior to Daylight Saving Time if an account in AD was disabled and had a mailbox associated with it, the e-mail account was basically useless. If you tried to email it, you would receive an NDR (Non-Deliverable Report / Bounce Back Message) stating this email account wasn't functional. And the mailbox would not receive the email. Also, if a user had Out of Office (OOF) enabled, when his / her account was disabled, OOF would stop working because the mail would never reach the mailbox.

Post Daylight Saving Time when an e-mail is sent to a client that has been disabled, the mailbox will receive the mail (no NDR will be sent). Also if OOF is turned on, the mailbox will send that OOF message back to the sender. The sender would not know anything about the status of this client; it would be just as if the client was enabled. The ability for user to access a disabled mailbox has not been altered, it is still denied.

We have contacted Microsoft about this and in summary this is what we were told; Prior functionality was considered to be a "Bug" (to our knowledge it has always been this way).

Now my issue, we are a med/large BES environment with about 950 Blackberry users. We have approximately 14,000 user accounts. Our current process for clients retiring/quitting/being fired is for our Security team to disable the user account in AD. After a period of 30 days of the account being disabled we will delete the mailbox; this is in place incase of mistakes, clients coming back etc. Clients are responsible for procuring their own devices and then expensing the costs. Our issue is a client leaves and their user account is disabled; great they can no longer access the environment, or so it was thought ... email will continue to flow to their mailbox and then to their Blackberry. To my knowledge (and I have contacted RIM) there is no process or means through the BES to detect a client has been disabled or not. We are looking at what needs to take place to better our process for this, I am just looking for ideas or information on what other BES admins are doing in this case. We need a programatic way to determine if the client is currently associated with the BES and disabled. By default I know of no attribute in AD for BES users (we may have to add this and then query off of that). Does anyone know of any third party apps that do this? I don't see anything in the resource kit as well. Any input would be appreciated. Thank you in advance and I apologize for the long read.