Thanks both.
GertjanA - We do already rename the account in AD when the person leaves (to indicate the leaving date) but that doesn't update Vault. Is that a manual process only then? I'll have a play about with the SQL later, thanks.
AndrewB - Thanks for the license info. As for our policy. It's that every user is enabled for Vault, all email is Vaulted and nothing is deleted from Vault ever. When A user leaves their account is hidden and disabled and moved to an OU which Vaults everything at 0 days. Once they are archived and we are happy with everything (month or two) the AD account is deleted and that's it.