You can move accounts between OU's using roles, but this method deletes and recreates the account, removing and replacing the SID of the object.
Component: CA DIRECTORY
You can use the LDAP ldapmodrdn.exe that comes with admin to move an account to a different OU while retaining the original SID.
The ldapmodrdn.exe included under %ETAHOME%\Bin is special and includes the -s parameter to allow for moving of an object without destroying the account SID. The usage is as follows:
Rename LDAP entries
usage: ldapmodrdn [options] [dn rdn]
dn rdn: If given, rdn will replace the RDN of the entry specified by DN
If not given, the list of modifications is read from stdin or
from the file specified by "-f file" (see man page).
Rename options:
-c continuous operation mode (do not stop on errors)
-f file read operations from 'file'
-r remove old RDN
-s newsup new superior entry
Common options:
-d level set LDAP debugging level to 'level'
-D binddn bind DN
-f file read operations from 'file'
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-M enable Manage DSA IT control (-MM to make critical)
-n show what would be done but don't actually update
-p port port on LDAP server
-P version procotol version (default: 3)
-v run in verbose mode (diagnostics to standard output)
-w passwd bind passwd (for simple authentication)
-W prompt for bind passwd
-x Simple authentication
-Z Start TLS request (-ZZ to require successful response)
Here is an example using a batch to run the ldapmodrdn.exe:
set HOST=<Provisioning_Server_Machine>
set PORT=20389
set DOMAIN=<Provisioning_Server_Domain>
set BINDDN="eTGlobalUserName=<AdminUser>,eTGlobalUserContainerName=Global Users,
eTNamespaceName=CommonObjects,dc=%DOMAIN%,dc=eta"
set PWD=<AdminUser_Password>
set NEWSUPDN="eTADSOrgUnitName=Disabled Users,eTADSOrgUnitName=Example,
eTADSDirectoryName=MyAD,eTNamespaceName=ActiveDirectory,dc=%DOMAIN%,dc=eta"
set OBJECTDN="eTADSAccountName=<Username>,eTADSOrgUnitName=Standard Users,
eTADSOrgUnitName=Example,eTADSDirectoryName=MyAD,
eTNamespaceName=ActiveDirectory,dc=%DOMAIN%,dc=eta"
set RDN="eTADSAccountName=<Username>"
"%ETAHOME%\Bin\ldapmodrdn.exe" -h %HOST% -p %PORT% -D %BINDDN% -w %PWD%
-s %NEWSUPDN% %OBJECTDN% %RDN%