Heres the dump of the acl for one of the OUs im looking at. I have changed the usernames to protect the innocent, but the group in question is called "Password Managers";
Effective Permissions on this object are: Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow MYDOMAIN\Domain Admins FULL CONTROL Allow NT AUTHORITY\SYSTEM FULL CONTROL Allow BUILTIN\Administrators SPECIAL ACCESS <Inherited from parent> DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY LIST OBJECT CONTROL ACCESS Allow MYDOMAIN\Enterprise Admins FULL CONTROL <Inherited from parent> Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS <Inherited from parent> LIST CONTENTS Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent> LIST CONTENTS Allow BUILTIN\Account Operators SPECIAL ACCESS for group CREATE CHILD DELETE CHILD Allow BUILTIN\Account Operators SPECIAL ACCESS for user CREATE CHILD DELETE CHILD Allow BUILTIN\Account Operators SPECIAL ACCESS for computer CREATE CHILD DELETE CHILD Allow BUILTIN\Print Operators SPECIAL ACCESS for printQueue CREATE CHILD DELETE CHILD Allow MYDOMAIN\USER2 SPECIAL ACCESS for msExchHideFromAddressLists WRITE PROPERTY Allow MYDOMAIN\Password Managers SPECIAL ACCESS for msExchHideFromAddressLists WRITE PROPERTY Allow MYDOMAIN\USER1 SPECIAL ACCESS for msExchHideFromAddressLists WRITE PROPERTY Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for Public Information <Inherited from parent> WRITE PROPERTY Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for Personal Information <Inherited from parent> WRITE PROPERTY Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for groupType <Inherited from parent> WRITE PROPERTY Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for displayName <Inherited from parent> WRITE PROPERTY Allow TRUSTED_DOMAIN\USER3 SPECIAL ACCESS for gPOptions <Inherited from parent> WRITE PROPERTY READ PROPERTY Allow TRUSTED_DOMAIN\USER3 SPECIAL ACCESS for gPLink <Inherited from parent> WRITE PROPERTY READ PROPERTY Permissions inherited to subobjects are: Inherited to all subobjects Allow BUILTIN\Administrators SPECIAL ACCESS <Inherited from parent> DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY LIST OBJECT CONTROL ACCESS Allow MYDOMAIN\Enterprise Admins FULL CONTROL <Inherited from parent> Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS <Inherited from parent> LIST CONTENTS Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent> LIST CONTENTS Allow MYDOMAIN\USER2 SPECIAL ACCESS for msExchHideFromAddressLists WRITE PROPERTY Allow MYDOMAIN\Password Managers SPECIAL ACCESS for msExchHideFromAddressLists WRITE PROPERTY Allow MYDOMAIN\USER1 SPECIAL ACCESS for msExchHideFromAddressLists WRITE PROPERTY Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for Public Information <Inherited from parent> WRITE PROPERTY Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for Personal Information <Inherited from parent> WRITE PROPERTY Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for groupType <Inherited from parent> WRITE PROPERTY Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for displayName <Inherited from parent> WRITE PROPERTY Allow TRUSTED_DOMAIN\USER3 SPECIAL ACCESS for gPOptions <Inherited from parent> WRITE PROPERTY READ PROPERTY Allow TRUSTED_DOMAIN\USER3 SPECIAL ACCESS for gPLink <Inherited from parent> WRITE PROPERTY READ PROPERTY Inherited to user Allow NT AUTHORITY\SELF SPECIAL ACCESS for description <Inherited from parent> WRITE PROPERTY Inherited to group Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent> READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Inherited to user Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent> READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Inherited to group Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS <Inherited from parent> READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Inherited to user Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS <Inherited from parent> READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow MYDOMAIN\USER1 Reset Password Allow MYDOMAIN\Password Managers SPECIAL ACCESS for pwdLastSet WRITE PROPERTY Allow MYDOMAIN\Password Managers Reset Password Allow MYDOMAIN\USER2 Reset Password List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/