Users still have access to Outlook Web Access after disabling account or changing password

Remove the “NT AUTHORITY\SELF” from the full permissions

First thing you can do is to remove the “NT AUTHORITY\SELF” from the full permissions setting in Exchange 2007/2010 (untested but I do not believe Exchange 2003 creates this user on mailboxes but instead has one labeled “SELF” which would be the equivalent.)
In the Exchange management console, navigate to “Recipient Configuration” and click on “Mailbox”. Find the user that needs to be disabled or have the password changed and click on it. On the right hand side under the actions pane click on the “Manage Full Access Permissions….” And in the new window remove the “NT AUTHORITY\SELF”. This is an immediate change from what I have tested as long as the user doesn’t have an existing session already open. If they do, then you can bet the fifteen minute rule still applies.

The only problem with this is, should the employee be re-employed by “ABC Inc.” before the mailbox is removed and you should need to reactivate it, then you will need to add the “NT AUTHORITY\SELF” user to the full mailbox rights or they won’t be able to access their mailbox. This can’t be done from the same window you removed it from, since the management console looks to your active directory to find the user to add, the “NT AUTHORITY\SELF” is not a true user in the sense of AD. Instead you will need to add this using the Exchange management shell using the following command:

Continue reading