Most access to objects is by MU and custom properties on the objects.
If a technician creates and object with incorrect properties, they have no rights to the object they created because its out of their MU scope by design.
I have created a security delegation on the OU with a rule that permits access to objects that have not been used yet (no lastlogontimestamp). This works nicely. I would like to limit it further to the user who created the object.