You can move accounts between OU's using roles, but this method deletes and recreates the account, removing and replacing the SID of the object.
You can use the LDAP ldapmodrdn.exe that comes with admin to move an account to a different OU while retaining the original SID.
The ldapmodrdn.exe included under %ETAHOME%\Bin is special and includes the -s parameter to allow for moving of an object without destroying the account SID. The usage is as follows:
Rename LDAP entries
usage: ldapmodrdn [options] [dn rdn]
dn rdn: If given, rdn will replace the RDN of the entry specified by DN
If not given, the list of modifications is read from stdin or
from the file specified by "-f file" (see man page).
Rename options:
-c continuous operation mode (do not stop on errors)
-f file read operations from 'file'
-r remove old RDN
-s newsup new superior entry
Common options:
-d level set LDAP debugging level to 'level'
-D binddn bind DN
-f file read operations from 'file'
-h host LDAP server
-H URI LDAP Uniform Resource Indentifier(s)
-M enable Manage DSA IT control (-MM to make critical)
-n show what would be done but don't actually update
-p port port on LDAP server
-P version procotol version (default: 3)
-v run in verbose mode (diagnostics to standard output)
-w passwd bind passwd (for simple authentication)
-W prompt for bind passwd
-x Simple authentication
-Z Start TLS request (-ZZ to require successful response)
Here is an example using a batch to run the ldapmodrdn.exe:
set HOST=<Provisioning_Server_Machine>
set PORT=20389
set DOMAIN=<Provisioning_Server_Domain>
set BINDDN="eTGlobalUserName=<AdminUser>,eTGlobalUserContainerName=Global Users,
eTNamespaceName=CommonObjects,dc=%DOMAIN%,dc=eta"
set PWD=<AdminUser_Password>
set NEWSUPDN="eTADSOrgUnitName=Disabled Users,eTADSOrgUnitName=Example,
eTADSDirectoryName=MyAD,eTNamespaceName=ActiveDirectory,dc=%DOMAIN%,dc=eta"
set OBJECTDN="eTADSAccountName=<Username>,eTADSOrgUnitName=Standard Users,
eTADSOrgUnitName=Example,eTADSDirectoryName=MyAD,
eTNamespaceName=ActiveDirectory,dc=%DOMAIN%,dc=eta"
set RDN="eTADSAccountName=<Username>"
"%ETAHOME%\Bin\ldapmodrdn.exe" -h %HOST% -p %PORT% -D %BINDDN% -w %PWD%
-s %NEWSUPDN% %OBJECTDN% %RDN%