I would like to Delegate User to be able to cleanup AD by allowing him to move users between couple of OU's (and doing only that). How can I achieve that?
I want to extend user permission that I've given using this method Grant permission in Active Directory to add users / modify / changed password / add them to group them but not delete them
The common way would be to use the "Delegation of control" wizard which is part of Active Directory Users & Computers console snapin to grant the permissions on the OUs in question.
You would have to choose the object types you want to be affected. In your case this obviously would be the "user" object type. But there is no permission for "moving", you would have to grant object creation and deletion rights for the OUs in question instead. Doing so obviously would allow for user object deletions as well, but this is how it works - a move is a create/delete operation. See Microsoft knowledge base article KB818091 for a detailed reference.