Hi - In our 2008R2-level AD, I have a service account that my PowerShell script runs as nightly in order to sync up user attributes & re-organize staff user objects into sub-OU's, per authoritative data from our HR system. There's a "Staff" OU and then various sub-OU's defined for our internal organizational structure. All staff user objects are in the sub-OU's. I've delegated this account appropriate permissions on the Staff OU and can confirm that they are propogating down to the sub-OU's as expected. This works just fine except for 1 of the sub-OU's. In this particular sub-OU, the service account can successfully modify user attributes, but attempts to move any user object in this sub-OU to another sub-OU at the same level fail with "access denied". This is the only sub-OU where this happens. The service account can move user objects between any of the other sub-OU's, and can even move user objects into this sub-OU, but it cannot move any user objects out of that sub-OU.
I've gone through line-by-line on the Advanced Security properties of this sub-OU compared to another at the same level, and they are identical. I've also tried re-delegating the permissions to no avail. I've also run the ADU&C MMC as this service account, and experience the same "access denied" error when I try to move user objects out of this sub-OU manually via drag 'n drop (to elimiate my PS code as the potential problem point). I've also verified that users it is trying to move out of this sub-OU do not have the "protect object from accidental deletion" option checked.
This AD implementation precedes my employment, and there is a lot of legacy stuff in here. I'm not sure what else I could check. Does anyone have any ideas on things I should check?
Thanks in advance.