The Right Way: Shared Mailbox on AD setup

Shared mailbox is mapped to a disabled AD account? 

IF YOU DON'T KNOW WHAT I'M BABBLING ABOUT

Shared Mailbox - mailboxes that are used by multiple users in an organization. For instance, an accounting inbox, for all external emails dedicated for the accounting department.

In case you are wondering why it needs to be mapped to an AD account - this is how you put ownership to a resource, to manage it. 

The account that you map it to is what communicates with other objects in your domain, such as other user accounts that want to access the mailbox.

But why are the mapped AD accounts for these shared mailboxes disabled?
(This might be your initial reaction too if you're as new to this as I am!)

THE RIGHT WAY:

Disabling the Active Directory (AD) accounts that hold the Shared Mailboxes is the right way. It doesn't stop the email from working, it is merely the container for which the mailbox is represented in your AD. 

There is no need for direct logon to these shared mailboxes, so having them disabled is a great security practice. 

It's like having a food truck, you can allow customers to get food via the window but the truck itself is locked. Similarly, you can allow users access to the mailbox via permissions only.

-Patrick