KB931832Exchange accounts used to bounce and NDR email sent to an exchange account attached to a disabled AD account. This patch causes exchange accounts to recieve email even though their AD account is disabled.This causes the following problems for our company (15,000 users):1. Major security concern!! Before a person leaves the company, they can set up a rule to forward email to an external address (say their personal yahoo.com address). When that person leaves the company and their AD account is disabled, the system will continue to forward their email to the external address. This is in violation of many compliance standards, including but definately not limited to SOX. Think about someone who recieves knowledge about the companies financials.2. Loss productivity. In larger corporations (or any for that matter) it is imperative the sender of an email knows that the recipient cannot receive the message. After this patch, an email sent to a disabled user account of an employee who is no longer with the company will NOT NDR and the sender will think the message was recieved. Use your imagination for possible problems related to this scenario. It comes down to loss productivity until the sender finally figures out that the recipient is no longer with the company.In my opinion, the sole purpose of NDR messages is to let the sender know their email message was not able to be read by the recipient. Since no one can log into a disabled account and review the email messages, the message was essentially "not recieved" because it cannot be read by the recipient. Therefore, a NDR needs to be returned to the sender.The workaround? None found yet that covers all issues.We currently automatically disable domain accounts based upon the employees status in our HR system. We do not have the resources for a manual workaround.Recommended manual workarounds that don't work:1. Hide the mailbox from the GAL - doesn't help if the people who often send email to this person has the recipients name in their local outlook cache and doesn't select it out of the GAL.2. Remove all secondary smtp address and rename the primary to disabled"old smptaddress".com - doesn't help with the rule forwarding security issue.3. Set the mailbox to be over quota (quota=0) - this will send an NDR to the sender, but they will receive a "mailbox over limit" NDR message that doesn't let them know the recipient is no longer with the company and the account is disabled.I'm hoping to get the word out and hopefully other companies can put pressure on Microsoft to fix this problem. It's also a heads up because we did not find out about this until our Internal Auditors approched us with an audit finding. They had a summer intern who put a rule in place to foward all email to her school email account. She continued to receive email after her internship was over and her account was disabled.