We had an indecent where a staff member left the organization and their AD account was disabled .
We find out more than 8 days later that he was still able to check his email and reply to emails, it appears to have been through Outlook (his company laptop -domain joined- is still in his possession).
We have looked into all other avenues but haven't found any answers that would explain this behavior. the lastlogin value on his AD object is set to before he left. All DCs have been checked.
We've ruled out send-as permissions through other accounts as well.
So here is the most logical theory we can come up with:
If he had Outlook open on the laptop from before the time his account got disabled, and he set his computer to never sleep, he would have maintained a connection to exchange for days,and for some reason, NTLM authentication didn't "refresh".
We are on Exchange 2007 SP3, Outlook Anywhere w/NTLM is configured for everyone.
Can someone explain this?