When you add a domain to the "Supported Domains List" in the console, what happens is this:
- the configuration server creates a user account in the domain for it to use later,
- this account is given the "Add Machine Accounts to Domain" right, and
- this account is given permission to read and write objects in the Computers container of the domain
However, it isn't given any additional permissions at all; if you want to let the console be allowed to put machines into other OU's, you have to give the account the console uses read and write permission on the OU.