Wow... You are sure that BESAdmin is not a member of any type of group that would have deny permissions? (Domain Admins maybe?)
Do you have any errors in your logs from BES getting rejected?
Can you maybe try selecting unidirection sync for a test user and checking to see if you can get a one way sync from the handheld to outlook? Maybe you can get a different error in the logs or something that would help work this out.
Maybe do a high and low search extra copies of cdo.dll on either of the servers that may be errantly registered as well.
Other than that, without seeing it, I am not sure I can be of any help.