Hi,
I did a test in my lab as the way you mentioned above. And the effective access was also the same.
There is no problem to create a user .
One point: after the permission assign , make sure the configuration replicated to all other DCs. You can do that by the command :Repadmin /syncall /APeD
1, It seems not related to the deny permission on the everyone.
Just in case please make sure that when you deny the delete permission, please clear all other properties (such as read and write permission) by pressing clear all :
2,If possible , please try the following way if it works for your situation.
Remove the users from the permission assignment .assign the permission through other way.
Right click the OU and select the delegation control ,add the user's name you want to delegate control .
3,If it still not working, i would suggest you :
a, Check the admincount attribute is <not set> or 0,
If the value of adminCount is set to 1 that means the user has, or has been a member of a protected group. The value can be seen in ADUC or ADSIEdit or LDP. Below is the attribute viewed via ADUC.
b, If the user has other group membership and any deny permission was assigned to it.
Best Regards,