We recently locked an account in AD for a user that was terminated from a company. Later I find out that he was still sending messages from his Android device. I go on to reset the password to something he does not know plus I modify the email address assocaited with the mailbox (e.g. change email@example.com to firstname.lastname@example.org). Then later we find another message sent from his Android device and it even had the 'from' address stated as the modified email address (email@example.com).
That said, what are the correct steps to ensure any/all smartphones can no longer communicate with an Exchange 2007 server once the user account is locked?