Remove Group Policy capabilities from OU admins

[MikeG]

I'm setting up my OU administrative permissions in Active Directory (Win2k3) and am going to centrally manage Group Policy. I will have administrators in my various offices (55 offices) that will need full A/D permissions in their A/D OU's, but will not have Group Policy functions to create/edit/link GP's. So naturally I went through the delegation wizard at the respective OU, checked all the common tasks, and unchecked "Manage Group Policy Links". This does remove their rights to do Group Policy stuff, but it also removes rights like "move" or "delete" a user or computer object. I tried going into the specific permissions but can't find a combination that allows all permissions except group policy.
I know this can't be a unique request. Has someone out there figured out how to do this? It appears to be something Microsoft hasn't seen fit to post on the web anywhere (or maybe they think "Manage Group Policy Links" works).
Thanks!

I think you need to have WRITE rights on the OU to move computers or users. (not 100% sure.)

That's got nothing to do with the GP rights, which you've granted (or rather, not granted) just fine.

[MikeG]

These are the 3 steps necessary to grant an administrator full rights to an A/D OU but remove any Group Policy link/edit capabilities:

Right-click on top level OU, select Properties
Security Tab – Advanced button

1)
Add Group
Object tab
Apply to: Child Objects only
Permissions: Full Control

2)
Add Group
Properties tab
Apply to: This Object and all Child Objects
Permissions: Deny – Write gPlink & Read gPlink

3)
Add Group
Object tab
Apply to: This Object only
Permissions: Full Control – uncheck Read & Modify

I guess I misunderstood the question.

Thanks for (your own) followup. :-)