We have the exact same problem. The configuration tasks directly into target OUs worked fine in DS6.8SP2 but with 6.9SP1 & 6.9SP2 we have had problems of various degree. Typically when specified target OU path the configuration job will fail altogether.
I did a bit of testing & confirmed that just a basic AD domain user with no special security groups but rights to create & delete computer objects in target OUs isn’t sufficient to manage even basic (no target OU specified) domain joining in one of our two domains. Perhaps it is depending where in the AD tree the computer account already is or if it is but requires more testing. Anyway up to this point for many years we have used certain domain accounts that have administrative rights on the target machines as well but these don’t work anymore.
As the last option I decided to change a domain admin level account to the domain accounts tab & finally things started to fly without an issue!
Perhaps this is about updated AD security or something but I’m positive 6.8SP2 can do it with less rights…