We are running Windows 2008 R2 fully native. What permission do I apply to allow only a group the ability to move users between OU?

Here are the permissions required: Source OU: Write All Properties Delete User Objects Destination OU: Create User Objects Delegate the control on the Source and Destination OUs to the wanted group using the persmissions I gave you. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

You need create the object permission in the destination OU and delete the object permission in the source OU.Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.

that works - but that give them the ability to create user account. Is it possible to restrict them from creating accounts?

It is not possible because to achieve your goal you should delegate Create User Objects permission to the group which will allow the creation of user accounts. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.