Paul,
You are right, but I have a better and safer solution for you:
Make sure your default desktop Policy has this checked off "Show Delete Button" and "Show Delete in Menu"
Remove users cannot delete
Now users can delete but they have no means to delete :)
Create a new Desktop Policy, where "Show Delete" is checked
Create new Provisioning Group which points to your new Desktop Policy
Add that user to the Provisioning Group
Run Provisioning Task
Run Synchronization.
If you are using pre v8 replace Desktop Policy with Mailbox Policy.