End result: users sending mail to QBDGs complain about getting NDRs from disabled users.
To prevent this, you need to change the ldap filter of the QBDG and insert a bit-wise filter (MS KBA 269181) for the userAccountControl attribute, which indicates, amongst other things, whether a user account is enabled or disabled. Here's how you do it.
If you used Custom Search to manually enter the ldap filter when creating the QBDG:
1. Start AD Users & Computers console, locate the group | Properties | click Customize | go to the Advanced tab.
2. insert this in your filter:
(!userAccountControl:1.2.840.113518.104.22.1683:=2)So if your earlier filter looked something like:
The modified filter looks like this:
If you used the GUI to create the filter, you will need to make this change using ADSIEdit.
1. Start ADSIEdit and locate the QBDG | Properties
2. Modify the msExchDynamicDLFilter attribute as shown in the above example.