The easiest fix, from the outside looking in, would be to create a OU at the root called something like "Employees" and put all the other root OUs under that Employee OU, this makes things cleaner overall I would think, and solves your issue as you only need to run the permissions for the Employees OU.
Just a thought, not really a "fix"
|