RyanBoyer.net

Here's a list of queries you can run to determine who has access to what.  (Note that these work on SQL 2008.)

First find out who has membership in the server-wide roles (in the context of the example below, the dbo_owner role):

exec sp_helprolemember 'db_owner';

Next determine what membership may be carried over by membership in a Windows domain group:

exec sp_helpuser 'DOMAIN\username' --for example the Tallarico user in ryanboyer.net: exec sp_helpuser 'ryanboyer\tallarico'

Finally the last query will reveal what tokens are carried over by a specific user credential - regardless of whether that user has explicit permissions mapped in the database:

select * from sys.user_token

This last should reveal any lingering permissions from rights not explicitly defined in the database (e.g. rights granted to DOMAIN\Domain Users).

A gentle reminder: server-level permissions will allow login to the server, but any permissions at the database level, even when orphaned, may allow/deny additional access, so be sure to clean up those orphaned database-level logins!