I had a user last night who's AD account was locked out at 6:30 PM EST.  However even though his account was locked out, email was still working without a problem on his activesync connected iPhone device.  When an account is locked, shouldn't all access be terminated until it is unlocked by an admin?

How long would he have been able to read and send emails with a locked AD account using his iPhone device?  He was still able to email me about this at 6:37 AM EST today, so over 12 hours with the account locked, his email was still working.

Note, OWA access was denied, but ActiveSync worked fine.

We've noticed this before when people change passwords, the email still works with the old password for awhile on the IOS device and eventually it prompts them about invalid credentials and they enter the new password to restore connectivity.  So how long is this hash or ticket cached?

Hi,

ActiveSync can support cache of 24hours

You can disable ActiveSync functionality through the following way

1. Get info about the user

Get-CASMailbox <user> | Select ActiveSyncAllowedDeviceIDs, ActiveSyncBlockedDeviceIDs

Get-ActiveSyncDeviceStatistics Mailbox <user> | fl DeviceID

Set-CASMailbox -Identity <user> -ActiveSyncBlockedDeviceIDs "<DeviceID_1>,<DeviceID_2>"