To obtain accurate results, the query must match the user and the groups they belong to against the object's allowed users and group memberships -- and understand how nested groups impact the answer. It's not unusual for a single user to belong to dozens or even hundreds of groups, and no small percentage of those groups are typically members of other groups. I've seen a user account that apparently belonged to 10 groups, but after taking nesting into account, the user actually belonged to more than 100 groups.
When an access-control query comparison is made, the querying tool must first build a master list of all the groups the person belongs to, including nested groups. This is no small task, since most companies I deal with have more groups than users. The real world is far messier.
You also need to appreciate application-level permissions. Most network applications have varying levels of access control for an application. While a user may not be a network or domain administrator, he or she may have privileged access inside a particular application. This access is just as important as operating system permissions.
In a large organization, it is not unusual for a common network application to have dozens or even a hundred or more admins. If a computer is completely compromised, the hacker can access anything available to the affected user, including application data.
That hypothetical hacker may not be able to take over the domain or dump any other user's passwords, but can download and change any data in the application database. Ultimately, most of today's hackers are after exactly that: application data. They compromise OS accounts and permissions as a way to get to the data.
Note that I haven't included the problems of multiple operating systems, mobile platforms, data copied to nonmanaged systems, access to offline data (such as tape backups), and many more complications. To get a completely accurate account of what access a particular person has to all the resources in a company takes a really granular and comprehensive survey by a really smart tool. And that tool does not exist.
I have no doubt vendors will claim their tool can determine who has what access to every object in the environment. I'll be glad to be schooled about a new, great tool. But I've been teaching computer security for more than two decades, including a decade-plus spent working with computer security auditors, and I can tell you that no tool comes close to doing a decent job.
Some tools can search many of the computers in your environment and tell you which users and groups can access particular objects. Getting just that information is more than most people have. Most of these tools work by running a query on each computer and compiling all the findings in a large database. You can then query that database to find out who has what access to which files and folders. The query is run on a regular basis to update the database.
Sign up for CIO Asia eNewsletters.