Our Service Account wasdomain admin until the earth moved. Now we run as builtin administrators. What native granular permissions are required on object to deprovision, the losing OU and then winning OU as part of the deprovision process.
We see a failure at the last step of our process, relocate object to new OU fails. access denied.