On the downside, these tools never cover all object types (registry keys, memory areas, metadata), rarely understand the impact of group nesting, don't take into account the user's overall access to a computer (local vs. remote), and never cover all operating systems and platforms. But if you don't have a tool that can at least do the basics, you probably need to get one. Otherwise, you won't have a clue as to what is going on.
Allow me to make two other recommendations. First, use groups as much as possible to set permissions. This has long been a best practice for security pros. We want to reduce individual access-control designations as much as possible. If you can confirm that all access is accorded only by group membership, then getting the whole access-control picture is easier.
Second, take advantage of tools that let you set and document access control from a centralized console. Within those tools you can often easily determine who has access to what -- when the access control has been set by the tool, that is. Many directory services, applications, and role-based access-control systems have this capability. My only caveat is that they often don't understand group nesting well or apply to all objects in the enterprise. But some centralized control is better than no centralized control.
I welcome reader or vendor recommendations on access-control query tools. But the sad fact is, we cannot reliably answer the supposedly easy question: Who has access to what?
Sign up for CIO Asia eNewsletters.