When an employee is terminates many companies simply disable the AD Account and assume the user will no longer be able to access any network resources, including Exchange through any of its access methods, because the AD Account has been disabled or password reset. Unfortunately, that is NOT correct.
For many hours after the user account has been disabled, users may be able to continue accessing Exchange and be able to send, receive messages. This happens for a number of reasons and can become a huge issue, especially when dealing with terminated employees who may or may not be leaving of their free will.
When an EAS device is set to synchronize items as they arrive (Direct Push), any changes made to the user’s account in Active Directory can require 8 to 24 hours before the device recognizes those changes. This is a result of IIS and Exchange caching data and active connection’s. The main feature of IIS involved is User Token Caching. The default time is set to 15 minutes, and so if a connection is made within 15 minutes of the last connection the cached token information is reused instead of checking with AD.
The best way to deal with the issue is to Reset IIS. This can be accomplished on the exchange servers by opening a dos prompt and typing iisreset. This will restart IIS services forcing all devices to re-authenticate to active Directory.